ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
140s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

1e56e3201f99af1f63c3b95b6d05d64f
SHA1

f5d32ac198ed52ded940ff5fffb1f513bb2b607f
SHA256

b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
SHA512

36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
SSDEEP

24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
9624	wevtutil.exe
10168	wevtutil.exe
14044	wevtutil.exe
10032	wevtutil.exe
9644	wevtutil.exe
11472	wevtutil.exe
9320	wevtutil.exe
7820	wevtutil.exe
5624	wevtutil.exe
9796	wevtutil.exe
10132	wevtutil.exe
13864	wevtutil.exe
8516	wevtutil.exe
9768	wevtutil.exe
5784	wevtutil.exe
9676	wevtutil.exe
7944	wevtutil.exe
5940	wevtutil.exe
13780	wevtutil.exe
10832	wevtutil.exe
7296	wevtutil.exe
5964	wevtutil.exe
10224	wevtutil.exe
6272	wevtutil.exe
5968	wevtutil.exe
15996	wevtutil.exe
9952	wevtutil.exe
10120	wevtutil.exe
11096	wevtutil.exe
15532	wevtutil.exe
8420	wevtutil.exe
6904	wevtutil.exe
5884	wevtutil.exe
6136	wevtutil.exe
5644	wevtutil.exe
9756	wevtutil.exe
9900	wevtutil.exe
5764	wevtutil.exe
5916	wevtutil.exe
13140	wevtutil.exe
8264	wevtutil.exe
7572	wevtutil.exe
7176	wevtutil.exe
9976	wevtutil.exe
9636	wevtutil.exe
9560	wevtutil.exe
9332	wevtutil.exe
8288	wevtutil.exe
7036	wevtutil.exe
10128	wevtutil.exe
9404	wevtutil.exe
9248	wevtutil.exe
6068	wevtutil.exe
9892	wevtutil.exe
13828	wevtutil.exe
8252	wevtutil.exe
8128	wevtutil.exe
7716	wevtutil.exe
6004	wevtutil.exe
6036	wevtutil.exe
10152	wevtutil.exe
6724	wevtutil.exe
13792	wevtutil.exe
7984	wevtutil.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\f:	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	svchost.exe
File opened for modification	\??\c:\windows\logg.bat	svchost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2576	sc.exe
2212	sc.exe
133080	sc.exe
133116	sc.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1876	vssadmin.exe
2588	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2736	svchost.exe
2736	svchost.exe
2688	svchost.exe
2688	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	svchost.exe
Token: SeRestorePrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeTakeOwnershipPrivilege	2736	svchost.exe
Token: SeBackupPrivilege	2736	svchost.exe
Token: SeAuditPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	2736	svchost.exe
Token: SeSecurityPrivilege	5572	wevtutil.exe
Token: SeBackupPrivilege	5572	wevtutil.exe
Token: SeBackupPrivilege	5588	vssvc.exe
Token: SeRestorePrivilege	5588	vssvc.exe
Token: SeAuditPrivilege	5588	vssvc.exe
Token: SeSecurityPrivilege	5620	wevtutil.exe
Token: SeBackupPrivilege	5620	wevtutil.exe
Token: SeSecurityPrivilege	5644	wevtutil.exe
Token: SeBackupPrivilege	5644	wevtutil.exe
Token: SeSecurityPrivilege	5688	wevtutil.exe
Token: SeBackupPrivilege	5688	wevtutil.exe
Token: SeSecurityPrivilege	5708	wevtutil.exe
Token: SeBackupPrivilege	5708	wevtutil.exe
Token: SeSecurityPrivilege	5724	wevtutil.exe
Token: SeBackupPrivilege	5724	wevtutil.exe
Token: SeSecurityPrivilege	5736	wevtutil.exe
Token: SeBackupPrivilege	5736	wevtutil.exe
Token: SeSecurityPrivilege	5748	wevtutil.exe
Token: SeBackupPrivilege	5748	wevtutil.exe
Token: SeSecurityPrivilege	5760	wevtutil.exe
Token: SeBackupPrivilege	5760	wevtutil.exe
Token: SeSecurityPrivilege	5772	wevtutil.exe
Token: SeBackupPrivilege	5772	wevtutil.exe
Token: SeSecurityPrivilege	5796	wevtutil.exe
Token: SeBackupPrivilege	5796	wevtutil.exe
Token: SeSecurityPrivilege	5816	wevtutil.exe
Token: SeBackupPrivilege	5816	wevtutil.exe
Token: SeSecurityPrivilege	5828	wevtutil.exe
Token: SeBackupPrivilege	5828	wevtutil.exe
Token: SeSecurityPrivilege	5856	wevtutil.exe
Token: SeBackupPrivilege	5856	wevtutil.exe
Token: SeSecurityPrivilege	5868	wevtutil.exe
Token: SeBackupPrivilege	5868	wevtutil.exe
Token: SeSecurityPrivilege	5888	wevtutil.exe
Token: SeBackupPrivilege	5888	wevtutil.exe
Token: SeSecurityPrivilege	5900	wevtutil.exe
Token: SeBackupPrivilege	5900	wevtutil.exe
Token: SeSecurityPrivilege	5916	wevtutil.exe
Token: SeBackupPrivilege	5916	wevtutil.exe
Token: SeSecurityPrivilege	5928	wevtutil.exe
Token: SeBackupPrivilege	5928	wevtutil.exe
Token: SeSecurityPrivilege	5944	wevtutil.exe
Token: SeBackupPrivilege	5944	wevtutil.exe
Token: SeSecurityPrivilege	5956	wevtutil.exe
Token: SeBackupPrivilege	5956	wevtutil.exe
Token: SeSecurityPrivilege	5968	wevtutil.exe
Token: SeBackupPrivilege	5968	wevtutil.exe
Token: SeSecurityPrivilege	5984	wevtutil.exe
Token: SeBackupPrivilege	5984	wevtutil.exe
Token: SeSecurityPrivilege	6000	wevtutil.exe
Token: SeBackupPrivilege	6000	wevtutil.exe
Token: SeSecurityPrivilege	6012	wevtutil.exe
Token: SeBackupPrivilege	6012	wevtutil.exe
Token: SeSecurityPrivilege	6028	wevtutil.exe
Token: SeBackupPrivilege	6028	wevtutil.exe
Token: SeSecurityPrivilege	6040	wevtutil.exe
Token: SeBackupPrivilege	6040	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2212	2736	svchost.exe	29
PID 2736 wrote to memory of 2212	2736	svchost.exe	29
PID 2736 wrote to memory of 2212	2736	svchost.exe	29
PID 2736 wrote to memory of 2356	2736	svchost.exe	31
PID 2736 wrote to memory of 2356	2736	svchost.exe	31
PID 2736 wrote to memory of 2356	2736	svchost.exe	31
PID 2736 wrote to memory of 1876	2736	svchost.exe	32
PID 2736 wrote to memory of 1876	2736	svchost.exe	32
PID 2736 wrote to memory of 1876	2736	svchost.exe	32
PID 2356 wrote to memory of 5552	2356	cmd.exe	36
PID 2356 wrote to memory of 5552	2356	cmd.exe	36
PID 2356 wrote to memory of 5552	2356	cmd.exe	36
PID 5552 wrote to memory of 5572	5552	cmd.exe	35
PID 5552 wrote to memory of 5572	5552	cmd.exe	35
PID 5552 wrote to memory of 5572	5552	cmd.exe	35
PID 2356 wrote to memory of 5620	2356	cmd.exe	38
PID 2356 wrote to memory of 5620	2356	cmd.exe	38
PID 2356 wrote to memory of 5620	2356	cmd.exe	38
PID 2356 wrote to memory of 5644	2356	cmd.exe	39
PID 2356 wrote to memory of 5644	2356	cmd.exe	39
PID 2356 wrote to memory of 5644	2356	cmd.exe	39
PID 2356 wrote to memory of 5688	2356	cmd.exe	41
PID 2356 wrote to memory of 5688	2356	cmd.exe	41
PID 2356 wrote to memory of 5688	2356	cmd.exe	41
PID 2356 wrote to memory of 5708	2356	cmd.exe	42
PID 2356 wrote to memory of 5708	2356	cmd.exe	42
PID 2356 wrote to memory of 5708	2356	cmd.exe	42
PID 2356 wrote to memory of 5724	2356	cmd.exe	43
PID 2356 wrote to memory of 5724	2356	cmd.exe	43
PID 2356 wrote to memory of 5724	2356	cmd.exe	43
PID 2356 wrote to memory of 5736	2356	cmd.exe	44
PID 2356 wrote to memory of 5736	2356	cmd.exe	44
PID 2356 wrote to memory of 5736	2356	cmd.exe	44
PID 2356 wrote to memory of 5748	2356	cmd.exe	45
PID 2356 wrote to memory of 5748	2356	cmd.exe	45
PID 2356 wrote to memory of 5748	2356	cmd.exe	45
PID 2356 wrote to memory of 5760	2356	cmd.exe	46
PID 2356 wrote to memory of 5760	2356	cmd.exe	46
PID 2356 wrote to memory of 5760	2356	cmd.exe	46
PID 2356 wrote to memory of 5772	2356	cmd.exe	47
PID 2356 wrote to memory of 5772	2356	cmd.exe	47
PID 2356 wrote to memory of 5772	2356	cmd.exe	47
PID 2356 wrote to memory of 5796	2356	cmd.exe	48
PID 2356 wrote to memory of 5796	2356	cmd.exe	48
PID 2356 wrote to memory of 5796	2356	cmd.exe	48
PID 2356 wrote to memory of 5816	2356	cmd.exe	49
PID 2356 wrote to memory of 5816	2356	cmd.exe	49
PID 2356 wrote to memory of 5816	2356	cmd.exe	49
PID 2356 wrote to memory of 5828	2356	cmd.exe	50
PID 2356 wrote to memory of 5828	2356	cmd.exe	50
PID 2356 wrote to memory of 5828	2356	cmd.exe	50
PID 2356 wrote to memory of 5856	2356	cmd.exe	51
PID 2356 wrote to memory of 5856	2356	cmd.exe	51
PID 2356 wrote to memory of 5856	2356	cmd.exe	51
PID 2356 wrote to memory of 5868	2356	cmd.exe	52
PID 2356 wrote to memory of 5868	2356	cmd.exe	52
PID 2356 wrote to memory of 5868	2356	cmd.exe	52
PID 2356 wrote to memory of 5888	2356	cmd.exe	53
PID 2356 wrote to memory of 5888	2356	cmd.exe	53
PID 2356 wrote to memory of 5888	2356	cmd.exe	53
PID 2356 wrote to memory of 5900	2356	cmd.exe	54
PID 2356 wrote to memory of 5900	2356	cmd.exe	54
PID 2356 wrote to memory of 5900	2356	cmd.exe	54
PID 2356 wrote to memory of 5916	2356	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:2212
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Media"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:6056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:6084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:6096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:6120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    - Clears Windows event logs
    PID:6136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:5576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:5552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    - Clears Windows event logs
    PID:5624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:5636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:5704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:5708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:5728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:5736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:5748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:5808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:5796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:5864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:5868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:5892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:5904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:5924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:5932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:5944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:5956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      PID:5992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:6008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:6020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:6024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:6028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:6044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:6060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:6080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:6092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:6104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:6116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:6128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:6120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:6136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:5572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:5544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:5648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:5692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:5704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:5708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:5724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:5756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:5768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:5772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:5812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:5820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:5848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:5568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:5560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:5876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:5884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:5908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:5900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    - Clears Windows event logs
    PID:5916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:5940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:5948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:5960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:5980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:5968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:5996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    - Clears Windows event logs
    PID:6004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    - Clears Windows event logs
    PID:6036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:6040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:6076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:6084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:6100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:6124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:6140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:5556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:5880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:5640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:5624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:5636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:5700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:5712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:5732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:5744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:5728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    - Clears Windows event logs
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:5764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:5800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:5832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:5872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:5548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:5856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:5896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:5888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:5912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:5920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:5936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:5952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:6008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:6020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:6032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:6028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:6064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:6060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:6068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:6092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:6104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:6116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:6120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:5596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:5572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:5544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:5660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:5692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:5740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:5708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:5736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:5748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:5772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:5796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:5864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:6568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:7812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:8696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    - Clears Windows event logs
    PID:9624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:9636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:9648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:9660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:9672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:9684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:9696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:9708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:9720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:9732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:9744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:9756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:9772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:9784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:9796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:9808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:9820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:9832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:9844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:9856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:9868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:9880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:9892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:9904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:9916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:9928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:9940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:9952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:9964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    - Clears Windows event logs
    PID:9976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:9988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:10000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:10012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:10024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:10036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:10048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:10060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:10072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:10084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:10096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:10108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:10120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:10132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:10144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:10156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:10168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:10180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:10192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:10204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:10216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:10228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:9620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:5720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:9624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:9636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:9648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:9660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:9672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:9684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:9708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:9696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:9720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:9732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:9744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    - Clears Windows event logs
    PID:9756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:9772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:9784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:9796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:9808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:9820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:9832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:9844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:9856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:9868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:9880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    - Clears Windows event logs
    PID:9892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:9904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:9916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:9928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:9940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:9952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:9964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:9976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:9988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:10000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:10012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:10024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:10036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:10048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:10060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:10072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:10084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:10096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:10108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:10120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:10132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:10144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:10156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:10168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:10180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:10192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:10204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:10236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:8696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:9628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:9640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:9652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:9664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:9676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:9688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:9700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:9712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:9724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:9736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:9748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:9760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:9776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:9788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:9800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:9812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:9828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:9836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:9848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:9860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:9872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:9884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    - Clears Windows event logs
    PID:9900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:9908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:9768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:9904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:9916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:9940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:9928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:9952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:9964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:9976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:9988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:10000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:10012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:10024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:10036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:10048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:10060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:10072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:10084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:10096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:10108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:10132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:10144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:10156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:10168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:10180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:10192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:10204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:10236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:8696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:9628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:9640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:9652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:9664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    - Clears Windows event logs
    PID:9676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:9688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:9700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:9712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:9724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:9736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:9748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:9760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:9776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:9788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:9800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:9812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:9828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:9836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:9848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:9860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:9872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:9884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:9900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:9908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:9768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:9904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:9916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:9928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:9940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:9952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:9964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:9976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:9988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:10000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:10012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:10024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:10036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:10048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:10060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:10116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    - Clears Windows event logs
    PID:10128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:10140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    - Clears Windows event logs
    PID:10152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:10164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:10188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:10176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:10200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:10212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    - Clears Windows event logs
    PID:10224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:10228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:8700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:9632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TunnelDriver"
    3⤵
    - Clears Windows event logs
    PID:9644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:9656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:9668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:9660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:9704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:9692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:9716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:9708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:9740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:9752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:9764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:9780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:10216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:9776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:9788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:9800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:9812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:9828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:9836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:9864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:9876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:9888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:9896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:9912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:9924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:9932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:9956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:9948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:9968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:9980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:9992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:10004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:10020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:10028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:10044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:10052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:10064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:10076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:10092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:10072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:10084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:10096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:10108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:10120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:10132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:10144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:10156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:10180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:10192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:10204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:10236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:8696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:9628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:9640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:9652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:9664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:9676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:9684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:9700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:9712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:9724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:10176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:11320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    - Clears Windows event logs
    PID:13140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:13632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:13644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:13660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:13672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:13684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:13696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:13708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:13720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:13732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:13744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:13756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:13768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    - Clears Windows event logs
    PID:13780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:13792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:13804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:13816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    - Clears Windows event logs
    PID:13828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:13840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:13852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:13864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:13876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:13888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:13900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:13912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:13924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:13936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:13948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:13960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "OAlerts"
    3⤵
    PID:13972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Security"
    3⤵
    PID:13984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Setup"
    3⤵
    PID:13996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "System"
    3⤵
    PID:14008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:14020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:14032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    - Clears Windows event logs
    PID:14044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:14056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSetup"
    3⤵
    PID:14068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSyncEngine"
    3⤵
    PID:14080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Windows"
    3⤵
    PID:14092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:14104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "muxencode"
    3⤵
    PID:14116
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1876
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" delete defser
  2⤵
  - Launches sc.exe
  PID:133080
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:133116
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" start defser
  2⤵
  - Launches sc.exe
  PID:2576

C:\Windows\system32\wevtutil.exe
wevtutil el
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2688
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    PID:5956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    PID:5760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    PID:6004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    PID:5624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:5800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:6320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:6404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:6476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:6548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:6664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:6760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:6856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:6952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:7052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:7148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:7236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:7524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:7560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:7668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:7776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:7872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    - Clears Windows event logs
    PID:7984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:8092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:8188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:8384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:8564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:8728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:8800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:8896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:9004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:9160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:9224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:9296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:9380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:9428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:9512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:9596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:9824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:9908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:10140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:9628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:10272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:10348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:10436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:10484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:10532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:10592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:10640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:10664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:10760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    - Clears Windows event logs
    PID:10832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:10928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:11012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:11096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:11216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:11252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:11360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:11372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:11412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:11496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:12228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Render"
    3⤵
    - Clears Windows event logs
    PID:15532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:15556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:15584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:15632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:15620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:15652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:15720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:15732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:15744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:15756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:15788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:15820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:15832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:15856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:15880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:15920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:15932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:16008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:16040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "OAlerts"
    3⤵
    PID:16060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Security"
    3⤵
    PID:16072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Setup"
    3⤵
    PID:16084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "System"
    3⤵
    PID:16104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:16120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:16156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSyncEngine"
    3⤵
    PID:16188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:16216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Windows"
    3⤵
    PID:16204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSetup"
    3⤵
    PID:16168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:16144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:16132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:16028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:15996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:15984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:15972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:15944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:15900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:15868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:15844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:15800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:15776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:15708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:15696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:15684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:15672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:15608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:15596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:15572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:15544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:15036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:11484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:11472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:11460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:11448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:11436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:11424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:11400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:11348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:11288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:11240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "muxencode"
    3⤵
    PID:16236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:11180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:11144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:11132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:11120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:11108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:11084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:11072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:11060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:11048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:11036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:11024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:11000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:10988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:10976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:10964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:10952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:10940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:10916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:10904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:10892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:10880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:10868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:10856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:10844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:10820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:10808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:10796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:10784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:10772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:10748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:10736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:10724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:10712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:10700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:10688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:10676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:10652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:10628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:10616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:10604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:10580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:10568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:10556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:10544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:10520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:10508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:10496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:10472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:10460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:10448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:10416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:9720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:9672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:9680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:9652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:9640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:8696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:10236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:10204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:10192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:10180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:10168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:10156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:10172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:10164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:10148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:10128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:10116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:10104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:10048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:10080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:10024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:10056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:10000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:9976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:9964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:9952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:9984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:9928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:9960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:9904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:9768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:9892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:9884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:9872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:9860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:9844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:9832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:9820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:9796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:9804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:9772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:9760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:9748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:9732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:9608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:9584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:9572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    - Clears Windows event logs
    PID:9560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:9548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:9536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:9524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:9500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:9488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:9476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:9464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:9452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:9440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:9416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:9404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:9392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:9368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:9356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:9344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    - Clears Windows event logs
    PID:9332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    - Clears Windows event logs
    PID:9320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:9308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:9284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:9272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:9260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    - Clears Windows event logs
    PID:9248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:9236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:7816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:9208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:9196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:9184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:9172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:9148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:9136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:9124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:9112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:9100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:9088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:9076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:9064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:9052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:9040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:9028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:9016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:8992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:8980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:8968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:8956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:8944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:8932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:8920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:8908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:8884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:8872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:8860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:8848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:8836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:8824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:8812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:8788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:8776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:8764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:8752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:8740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:8716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:8704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:8684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:8672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:8660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:8648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:8636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:8624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:8612
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:8600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:8588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:8576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:8552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:8540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:8528
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    - Clears Windows event logs
    PID:8516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:8504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:8492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:8480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:8468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:8456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:8444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:8432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    - Clears Windows event logs
    PID:8420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:8408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:8396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:8372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:8360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:8348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:8336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:8324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:8312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:8300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    - Clears Windows event logs
    PID:8288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:8276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    - Clears Windows event logs
    PID:8264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    - Clears Windows event logs
    PID:8252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:8240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:8228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:8216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:8204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:6568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:8176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:8164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:8152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:8140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    - Clears Windows event logs
    PID:8128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:8116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:8080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:8068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:8056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:8044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:8032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:8020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:8008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:7996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:7968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:7956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    - Clears Windows event logs
    PID:7944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:7932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:7920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:7908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:7896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    PID:7884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:7856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:7844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:7832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:7820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:7800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:7788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:7764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:7752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:7740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:7728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    - Clears Windows event logs
    PID:7716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:7704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:7692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:7680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:7656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:7644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:7632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:7620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:7608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:7596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:7584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:7572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:7548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:7536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:7512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:7500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:7488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:7476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:7464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:7452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:7440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:7428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:7416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:7404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:7392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:7380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:7368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:7356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:7344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:7332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:7320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:7308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:7296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:7284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:7272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:7260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:7248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:7224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:7212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:7200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:7188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    - Clears Windows event logs
    PID:7176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:6188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:7160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:7136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:7124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:7112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:7100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:7088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:7076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:7064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:7036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:7024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:7012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:7000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:6988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:6976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:6964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:6940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:6928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:6916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    - Clears Windows event logs
    PID:6904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:6892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:6880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:6868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:6844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:6832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:6820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:6808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:6796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:6784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:6772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:6748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:6736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    - Clears Windows event logs
    PID:6724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:6712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:6700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:6688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:6676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:6652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:6640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:6628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:6616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:6604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:6592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:6580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:6560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:6536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:6524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:6512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:6500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:6488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:6464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:6452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:6440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:6428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:6416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:6392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:6380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:6368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:6356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:6344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:6332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:6308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:6296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:6284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    - Clears Windows event logs
    PID:6272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:6212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:6200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:6184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:6172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:6160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:6148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Clears Windows event logs
    PID:5764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:5728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:5744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:5732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:5716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:5700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    PID:5636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    PID:5640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    PID:5880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Media"
    3⤵
    PID:5556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:6140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    PID:6124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    PID:6100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    PID:6084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    PID:6076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    PID:6040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DebugChannel"
    3⤵
    PID:6036
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\res\st

Filesize
14B

MD5
f4bfd795a8c2874236f751664437aec0

SHA1
cf985b4afeb3743128020a72868683cbb2673064

SHA256
6457e01a13a6b6319578322a1c67b19e82054474108f5bbebc9805068bfb8b81

SHA512
4268acdc55c4f6119bd0935858b9f3ca6e9163a2898c52dccdd261091f052bb80a3bebb09c7cadbe84a05c70f3fd3cc8a9adeb41c6663ebbc824e79834cab55e

Download Submit
F:\Ranger3X\34236465692o

Filesize
2KB

MD5
e337a2a2f5d64648de80bce3743c32c0

SHA1
d2f99dfa0cb678d40d023753dba42ad534d4b033

SHA256
f00500508b2860ca2b80a4063b0c2c2b875b38bc07e9c476152944d483275741

SHA512
4c4e971e2a4086534da764e47ddd91c5d54c0fad340182a1f588c0ce9702d3cac3e535ed46ef64a9bd8b3f3e8cc06395f0875b90e0749d5dfdee36374c7080ec

Download Submit
F:\Ranger3X\34236465692o

Filesize
4KB

MD5
1846b848ca32cac6005348e7a8a281c8

SHA1
61b3459b28e24dc6feb07e066464a6a946d74340

SHA256
bfaf048f90f3d4617d4f8a514fb59507fda90033df53760c0b0453d4915e9f49

SHA512
647176a4bd3d315c644a3e971ae6fe93e07ac5119c30dd36a427876f2d847fbf053479aab680bffdc84c66bcbcbccf68871249817d7d04e1da69e3498155fb16

Download Submit
F:\Ranger3X\63957273651s

Filesize
2KB

MD5
269c7fc83692684e9fd8aa2ced223782

SHA1
caf4eb946f5d59239569fd2f7d6a50f1951b7e7b

SHA256
b226555e7e91096f5c8425f36f00be73ae083a8f9b8f6751ae3e4f3ca02a32a9

SHA512
8449ca1cc44c4c147ec48b60d452cea4e6a2db3c68229783cd06611869567fd874931801a1c3cd9f6e1e3952a1179885eb4d91172c20d6052b65b174ba68642d

Download Submit
\??\c:\programdata\res\hds

Filesize
20B

MD5
34269f11bb2c1d526c8da952e908651f

SHA1
107c32581b2cfae43bc2b2abda092b808fe980dc

SHA256
8ef443963e1f0a488a883d9381d7c38fd7c827cef250e4d0a06b3627603003f3

SHA512
aa81a53a9651fefa4c6d43099a047143f386d3d4954606dd1462b4a6e7f8142ff59810e89b1cc2880621e2716d5a1bfeabd99346b0d23a41b4023d892b513961

Download Submit
\??\c:\users\admin\appdata\local\temp\mscore.dll

Filesize
546B

MD5
bce2efcaa19ff2510bc1b4297a1b0914

SHA1
28e1487bdd0fb63d32e6f6f228607ad5f97e2ef2

SHA256
fa12127642d495d5eaa12ab3ffc8f7ec21d67f69ee675e6a5f007a1e0b5d6408

SHA512
9850dcb8096722918bca907a6d6f4e0c5d8075ccf9124a578ccfc2445dfcc6d395f127f56e0ceaae4e8e4c68b7de17ee06c128f11fa7a7a17915b12ce5325f4c

Download Submit
\??\c:\windows\logg.bat

Filesize
50B

MD5
837f9483a4d9fb834d75537beb1c9488

SHA1
7421df5e92fbd2ef04eac5ede4397e4b87a3b7c2

SHA256
ec64e2a730d0e32ff61a98f34ffdda69ea172234f8f432b95766e38c0f898e2d

SHA512
37aa585177f560cd8d7b60303e820a7fa08f1a73d5fb79a6bae1f2c14e11d0f2d573059eb4e5c4bccb5021b336531d1eb3076a357b75a02c56570585a271cc69

Download Submit