ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
157s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

1e56e3201f99af1f63c3b95b6d05d64f
SHA1

f5d32ac198ed52ded940ff5fffb1f513bb2b607f
SHA256

b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
SHA512

36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
SSDEEP

24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
8516	wevtutil.exe
3888	wevtutil.exe
53128	wevtutil.exe
92752	wevtutil.exe
101364	wevtutil.exe
8	wevtutil.exe
52712	wevtutil.exe
101020	wevtutil.exe
103048	wevtutil.exe
9156	wevtutil.exe
48588	wevtutil.exe
57076	wevtutil.exe
96960	wevtutil.exe
49076	wevtutil.exe
100224	wevtutil.exe
101136	wevtutil.exe
100936	wevtutil.exe
53160	wevtutil.exe
8500	wevtutil.exe
53176	wevtutil.exe
96800	wevtutil.exe
48736	wevtutil.exe
52712	wevtutil.exe
93000	wevtutil.exe
8452	wevtutil.exe
57060	wevtutil.exe
104944	wevtutil.exe
3988	wevtutil.exe
69416	wevtutil.exe
96988	wevtutil.exe
100876	wevtutil.exe
101300	wevtutil.exe
9204	wevtutil.exe
104700	wevtutil.exe
49148	wevtutil.exe
58112	wevtutil.exe
92792	wevtutil.exe
94232	wevtutil.exe
97060	wevtutil.exe
96836	wevtutil.exe
53244	wevtutil.exe
57144	wevtutil.exe
72648	wevtutil.exe
80620	wevtutil.exe
96972	wevtutil.exe
97772	wevtutil.exe
9060	wevtutil.exe
48600	wevtutil.exe
52840	wevtutil.exe
101332	wevtutil.exe
8920	wevtutil.exe
56224	wevtutil.exe
57044	wevtutil.exe
32372	wevtutil.exe
8376	wevtutil.exe
12284	wevtutil.exe
52860	wevtutil.exe
101248	wevtutil.exe
104960	wevtutil.exe
105168	wevtutil.exe
55076	wevtutil.exe
96944	wevtutil.exe
98796	wevtutil.exe
103628	wevtutil.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	svchost.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1144	sc.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4784	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2968	svchost.exe
2968	svchost.exe
2968	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	svchost.exe
Token: SeRestorePrivilege	2968	svchost.exe
Token: SeBackupPrivilege	2968	svchost.exe
Token: SeTakeOwnershipPrivilege	2968	svchost.exe
Token: SeBackupPrivilege	2968	svchost.exe
Token: SeAuditPrivilege	2968	svchost.exe
Token: SeSecurityPrivilege	2968	svchost.exe
Token: SeSecurityPrivilege	5304	wevtutil.exe
Token: SeBackupPrivilege	5304	wevtutil.exe
Token: SeSecurityPrivilege	6780	wevtutil.exe
Token: SeBackupPrivilege	6780	wevtutil.exe
Token: SeSecurityPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	6672	vssvc.exe
Token: SeRestorePrivilege	6672	vssvc.exe
Token: SeAuditPrivilege	6672	vssvc.exe
Token: SeSecurityPrivilege	8228	wevtutil.exe
Token: SeBackupPrivilege	8228	wevtutil.exe
Token: SeSecurityPrivilege	8260	wevtutil.exe
Token: SeBackupPrivilege	8260	wevtutil.exe
Token: SeSecurityPrivilege	8316	wevtutil.exe
Token: SeBackupPrivilege	8316	wevtutil.exe
Token: SeSecurityPrivilege	8336	wevtutil.exe
Token: SeBackupPrivilege	8336	wevtutil.exe
Token: SeSecurityPrivilege	8364	wevtutil.exe
Token: SeBackupPrivilege	8364	wevtutil.exe
Token: SeSecurityPrivilege	8384	wevtutil.exe
Token: SeBackupPrivilege	8384	wevtutil.exe
Token: SeSecurityPrivilege	8400	wevtutil.exe
Token: SeBackupPrivilege	8400	wevtutil.exe
Token: SeSecurityPrivilege	8420	wevtutil.exe
Token: SeBackupPrivilege	8420	wevtutil.exe
Token: SeSecurityPrivilege	8436	wevtutil.exe
Token: SeBackupPrivilege	8436	wevtutil.exe
Token: SeSecurityPrivilege	8452	wevtutil.exe
Token: SeBackupPrivilege	8452	wevtutil.exe
Token: SeSecurityPrivilege	8484	wevtutil.exe
Token: SeBackupPrivilege	8484	wevtutil.exe
Token: SeSecurityPrivilege	8500	wevtutil.exe
Token: SeBackupPrivilege	8500	wevtutil.exe
Token: SeSecurityPrivilege	8516	wevtutil.exe
Token: SeBackupPrivilege	8516	wevtutil.exe
Token: SeSecurityPrivilege	8536	wevtutil.exe
Token: SeBackupPrivilege	8536	wevtutil.exe
Token: SeSecurityPrivilege	8552	wevtutil.exe
Token: SeBackupPrivilege	8552	wevtutil.exe
Token: SeSecurityPrivilege	8568	wevtutil.exe
Token: SeBackupPrivilege	8568	wevtutil.exe
Token: SeSecurityPrivilege	8584	wevtutil.exe
Token: SeBackupPrivilege	8584	wevtutil.exe
Token: SeSecurityPrivilege	8600	wevtutil.exe
Token: SeBackupPrivilege	8600	wevtutil.exe
Token: SeSecurityPrivilege	8616	wevtutil.exe
Token: SeBackupPrivilege	8616	wevtutil.exe
Token: SeSecurityPrivilege	8632	wevtutil.exe
Token: SeBackupPrivilege	8632	wevtutil.exe
Token: SeSecurityPrivilege	8648	wevtutil.exe
Token: SeBackupPrivilege	8648	wevtutil.exe
Token: SeSecurityPrivilege	8664	wevtutil.exe
Token: SeBackupPrivilege	8664	wevtutil.exe
Token: SeSecurityPrivilege	8680	wevtutil.exe
Token: SeBackupPrivilege	8680	wevtutil.exe
Token: SeSecurityPrivilege	8696	wevtutil.exe
Token: SeBackupPrivilege	8696	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 1144	2968	svchost.exe	90
PID 2968 wrote to memory of 1144	2968	svchost.exe	90
PID 2968 wrote to memory of 4472	2968	svchost.exe	95
PID 2968 wrote to memory of 4472	2968	svchost.exe	95
PID 4472 wrote to memory of 1868	4472	cmd.exe	97
PID 4472 wrote to memory of 1868	4472	cmd.exe	97
PID 2968 wrote to memory of 4784	2968	svchost.exe	98
PID 2968 wrote to memory of 4784	2968	svchost.exe	98
PID 1868 wrote to memory of 5304	1868	cmd.exe	100
PID 1868 wrote to memory of 5304	1868	cmd.exe	100
PID 4472 wrote to memory of 6780	4472	cmd.exe	101
PID 4472 wrote to memory of 6780	4472	cmd.exe	101
PID 4472 wrote to memory of 8	4472	cmd.exe	103
PID 4472 wrote to memory of 8	4472	cmd.exe	103
PID 4472 wrote to memory of 8228	4472	cmd.exe	104
PID 4472 wrote to memory of 8228	4472	cmd.exe	104
PID 4472 wrote to memory of 8260	4472	cmd.exe	106
PID 4472 wrote to memory of 8260	4472	cmd.exe	106
PID 4472 wrote to memory of 8316	4472	cmd.exe	107
PID 4472 wrote to memory of 8316	4472	cmd.exe	107
PID 4472 wrote to memory of 8336	4472	cmd.exe	108
PID 4472 wrote to memory of 8336	4472	cmd.exe	108
PID 4472 wrote to memory of 8364	4472	cmd.exe	109
PID 4472 wrote to memory of 8364	4472	cmd.exe	109
PID 4472 wrote to memory of 8384	4472	cmd.exe	110
PID 4472 wrote to memory of 8384	4472	cmd.exe	110
PID 4472 wrote to memory of 8400	4472	cmd.exe	111
PID 4472 wrote to memory of 8400	4472	cmd.exe	111
PID 4472 wrote to memory of 8420	4472	cmd.exe	112
PID 4472 wrote to memory of 8420	4472	cmd.exe	112
PID 4472 wrote to memory of 8436	4472	cmd.exe	113
PID 4472 wrote to memory of 8436	4472	cmd.exe	113
PID 4472 wrote to memory of 8452	4472	cmd.exe	114
PID 4472 wrote to memory of 8452	4472	cmd.exe	114
PID 4472 wrote to memory of 8484	4472	cmd.exe	115
PID 4472 wrote to memory of 8484	4472	cmd.exe	115
PID 4472 wrote to memory of 8500	4472	cmd.exe	116
PID 4472 wrote to memory of 8500	4472	cmd.exe	116
PID 4472 wrote to memory of 8516	4472	cmd.exe	117
PID 4472 wrote to memory of 8516	4472	cmd.exe	117
PID 4472 wrote to memory of 8536	4472	cmd.exe	118
PID 4472 wrote to memory of 8536	4472	cmd.exe	118
PID 4472 wrote to memory of 8552	4472	cmd.exe	119
PID 4472 wrote to memory of 8552	4472	cmd.exe	119
PID 4472 wrote to memory of 8568	4472	cmd.exe	120
PID 4472 wrote to memory of 8568	4472	cmd.exe	120
PID 4472 wrote to memory of 8584	4472	cmd.exe	121
PID 4472 wrote to memory of 8584	4472	cmd.exe	121
PID 4472 wrote to memory of 8600	4472	cmd.exe	122
PID 4472 wrote to memory of 8600	4472	cmd.exe	122
PID 4472 wrote to memory of 8616	4472	cmd.exe	123
PID 4472 wrote to memory of 8616	4472	cmd.exe	123
PID 4472 wrote to memory of 8632	4472	cmd.exe	124
PID 4472 wrote to memory of 8632	4472	cmd.exe	124
PID 4472 wrote to memory of 8648	4472	cmd.exe	125
PID 4472 wrote to memory of 8648	4472	cmd.exe	125
PID 4472 wrote to memory of 8664	4472	cmd.exe	126
PID 4472 wrote to memory of 8664	4472	cmd.exe	126
PID 4472 wrote to memory of 8680	4472	cmd.exe	127
PID 4472 wrote to memory of 8680	4472	cmd.exe	127
PID 4472 wrote to memory of 8696	4472	cmd.exe	128
PID 4472 wrote to memory of 8696	4472	cmd.exe	128
PID 4472 wrote to memory of 8712	4472	cmd.exe	129
PID 4472 wrote to memory of 8712	4472	cmd.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:1144
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "AirSpaceChannel"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:8452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:8500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:8516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationFrameServer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:8712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationContentProtection"
    3⤵
    PID:8728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDS"
    3⤵
    PID:8744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    PID:8760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationMP4"
    3⤵
    PID:8776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationMediaEngine"
    3⤵
    PID:8792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    PID:8808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformanceCore"
    3⤵
    PID:8824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    PID:8840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    PID:8856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:8872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:8888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:8904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Debug"
    3⤵
    - Clears Windows event logs
    PID:8920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:8936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Virtual"
    3⤵
    PID:8952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:8968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:8988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:9008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:9028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:9044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:9060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:9076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:9100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:9116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:9140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    - Clears Windows event logs
    PID:9156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:9172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:9188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    - Clears Windows event logs
    PID:9204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:5304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:3716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:8336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:8164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:8160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Clears Windows event logs
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Clears Windows event logs
    PID:8376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:8392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:8432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:8448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:8508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:9680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:10376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:12124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:12236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:12252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:12268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/Packaged"
    3⤵
    PID:12284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/Packaged"
    3⤵
    PID:12124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:12236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:12252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:12268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    - Clears Windows event logs
    PID:12284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:12124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:12236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:12252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:12240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    - Clears Windows event logs
    PID:3888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:12260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:8408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:12132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:12240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:3888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:12260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:16264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:16724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:16740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:28284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:28312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:28328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:28344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:28360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:32308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:36336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:36352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:36368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:36392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:40296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:40440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:45184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:45200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:46744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:47360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:48584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    - Clears Windows event logs
    PID:48600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:48716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:48732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:48752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:48800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:48820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:48840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:48884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:48900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:49060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    - Clears Windows event logs
    PID:49076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:49116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    - Clears Windows event logs
    PID:49148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:46740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    - Clears Windows event logs
    PID:48588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:48628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:28224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:40288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:36384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:48696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:48600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:48720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    - Clears Windows event logs
    PID:48736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:48788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:48752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:48804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:48832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:48856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:48644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:48640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:48840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/BitLocker"
    3⤵
    PID:48884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/BitLocker"
    3⤵
    PID:40404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:44380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:44424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:44440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:48760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:49500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:49684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:50900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:51568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:52036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:52052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:52068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:52084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:52100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Catalog"
    3⤵
    PID:52628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:52644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:52660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:52676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:52692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    - Clears Windows event logs
    PID:52712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:52728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:52744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:52760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:52776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:52796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:52812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:52828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:52844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    - Clears Windows event logs
    PID:52860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:52880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:52896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:52932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:52984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:53048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:53072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:53088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:53104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    - Clears Windows event logs
    PID:53128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:53144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    - Clears Windows event logs
    PID:53160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    - Clears Windows event logs
    PID:53176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:53192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:53208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:53228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    - Clears Windows event logs
    PID:53244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:52100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:52628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:52644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:52660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:52624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:52692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    - Clears Windows event logs
    PID:52712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:52732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:52748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:52820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    - Clears Windows event logs
    PID:52840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:52708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:53360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:53832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:52852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:53472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:54392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:54876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    - Clears Windows event logs
    PID:55076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:55092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:55760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:55776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:56092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    - Clears Windows event logs
    PID:56224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:56240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:56760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:56776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:56792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:56808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:56828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:56848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:56868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:56884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:56900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:56916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:56932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:56948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:56964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:56980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:56996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:57012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:57028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:57044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    - Clears Windows event logs
    PID:57060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    - Clears Windows event logs
    PID:57076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:57092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:57112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:57128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    - Clears Windows event logs
    PID:57144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:57160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:57176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:57192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:57208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:57224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:57240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:57256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:57272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:57288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:57304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:57320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:57336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:56244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:56764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:56788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    - Clears Windows event logs
    PID:58112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:60732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:60748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:60764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:61240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:61256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:64832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    - Clears Windows event logs
    PID:69416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:72632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    - Clears Windows event logs
    PID:72648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:72672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:75348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:75364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:76636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:76652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:76668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:76684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:76700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:76716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:76740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:76760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:76780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:76796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    - Clears Windows event logs
    PID:80620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:80636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:80860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:80628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:84628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:88704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:91108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:91124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:92736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    - Clears Windows event logs
    PID:92752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:92776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:92788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:92800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:92816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:92832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:92848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:92864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:92880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:92896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:92912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:92928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:92952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:92968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:92984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    - Clears Windows event logs
    PID:93000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:93016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:93032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:93048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:93064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:93080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:93096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:93112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:93128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:93144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:93160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    - Clears Windows event logs
    PID:32372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:92780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:92796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:92808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:92824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:92836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:92852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:92868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:92888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:92904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:92916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:92972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:92988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:93076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:88676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:91552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:92792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:92996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:93236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:93480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:93784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:94024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    - Clears Windows event logs
    PID:94232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:94448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:94560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:94772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:95156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:95260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:95612
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:95904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:96128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:96236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:96416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:96748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:96764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:96784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    - Clears Windows event logs
    PID:96800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:96816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:96832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:96848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:96864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:96880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:96896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:96912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:96928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    - Clears Windows event logs
    PID:96944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    - Clears Windows event logs
    PID:96960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:96976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:96992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:97008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:97024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:97040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    - Clears Windows event logs
    PID:97060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:97076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:97092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:97108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:97124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:97140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:97156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:97172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:97196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:97216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:97232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:97252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:97276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:96252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:96424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:96752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:96768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:96788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:96804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:96824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    - Clears Windows event logs
    PID:96836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:96852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:96868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:96884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:96900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:96940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:96956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    - Clears Windows event logs
    PID:96972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    - Clears Windows event logs
    PID:96988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:97004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:97016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:97208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:96908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:97012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:97484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:97580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    - Clears Windows event logs
    PID:97772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:97876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:98200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:98216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:98548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:98564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:98700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    - Clears Windows event logs
    PID:98796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:98816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:99036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:98692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:98824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:99728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:99860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:100224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:100412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:100744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:100760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:100780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:100796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:100812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:100828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:100844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:100860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:100876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:100892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:100908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:100924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:100940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:100956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:100972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:100988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:101004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:101020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:101036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:101052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:101072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:101088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:101104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:101120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    - Clears Windows event logs
    PID:101136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:101152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:101168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:101184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:101200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:101216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:101232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    - Clears Windows event logs
    PID:101248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:101264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:101280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:101300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:101316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    - Clears Windows event logs
    PID:101332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:101348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:101364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:100228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:100424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:100756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:100772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:100792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:100808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:100824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:100840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:100856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:100872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:100888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    - Clears Windows event logs
    PID:100936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:100952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:101124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    - Clears Windows event logs
    PID:101364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:100804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:101400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Boot"
    3⤵
    PID:101584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:101784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:102468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Device"
    3⤵
    PID:102604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Driver"
    3⤵
    PID:102696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Driver"
    3⤵
    PID:102736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:102872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:103048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:103224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:102480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:103524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:103628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:103784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:103800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:104160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:104292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:103664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:104652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:104668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:104684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:104700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:104716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:104736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:104752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:104768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:104784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:104800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:104816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:104832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:104848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:104864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:104880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:104912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:104928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    - Clears Windows event logs
    PID:104960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:104944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:104896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:104976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:104992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:105024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:105040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:105072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:105104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:105136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    - Clears Windows event logs
    PID:105168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:105200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:105184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:105220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:105268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:105316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:105348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:105412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:105396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:105444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:104680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:104660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:104644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:105460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:105428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:105380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:105364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:105332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:105300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:105284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:105252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:105452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:105556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:104676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:105236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:105152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:105120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:106820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:105088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:107612
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:105056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:108632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:105008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:114332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:114516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:124548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:124564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:124580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:124596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:124612
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4784

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\logg.bat

Filesize
50B

MD5
837f9483a4d9fb834d75537beb1c9488

SHA1
7421df5e92fbd2ef04eac5ede4397e4b87a3b7c2

SHA256
ec64e2a730d0e32ff61a98f34ffdda69ea172234f8f432b95766e38c0f898e2d

SHA512
37aa585177f560cd8d7b60303e820a7fa08f1a73d5fb79a6bae1f2c14e11d0f2d573059eb4e5c4bccb5021b336531d1eb3076a357b75a02c56570585a271cc69

Download Submit