44ee695b532eb984e46de29569ce35854b37d409efaabb6bcf9f5316e2b0546d

Resubmissions

18-04-2024 18:50

240418-xha8wabh29 10

01-01-2024 15:12

240101-slnwxsfeh4 10

Analysis

max time kernel
80s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Size

4.8MB
MD5

5a3c5576c359ce4f40b3274209db2e76
SHA1

8d38f1c0953013d623bea6d6f6f47d5a0c7027f9
SHA256

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7
SHA512

a9780e15702531d22a7088bb1de49c083499244819732f07c7a1c22bea00aa3592231766adae42ea8f980896a659a46a51a58e4e366a35e327f9d788ff88e5eb
SSDEEP

49152:Dc2Ee3ScTnrb/T5vO90dL3BmAFd4A64nsfJG0CJZGSUeU/o/ZsPfNW7Ew5EzUgr0:73l8ZSUOyaEUVHB72INLu6SZJZ

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
4412	wevtutil.exe
2868	wevtutil.exe
2960	wevtutil.exe
3104	wevtutil.exe
824	wevtutil.exe
5024	wevtutil.exe
4548	wevtutil.exe
4648
2792
308
1656	wevtutil.exe
2056	wevtutil.exe
2584
2448
3320	wevtutil.exe
2896	wevtutil.exe
4784	wevtutil.exe
4788
2288	wevtutil.exe
4008	wevtutil.exe
3868
2980	wevtutil.exe
1328	wevtutil.exe
1712	wevtutil.exe
5104
3304	wevtutil.exe
1372	wevtutil.exe
4648	wevtutil.exe
3092	wevtutil.exe
1944	wevtutil.exe
628	wevtutil.exe
1328	wevtutil.exe
4668
4012	wevtutil.exe
4112	wevtutil.exe
3576	wevtutil.exe
3692	wevtutil.exe
4504	wevtutil.exe
4612	wevtutil.exe
5024	wevtutil.exe
2864
3120
4776
4468
1008	wevtutil.exe
4660	wevtutil.exe
3640	wevtutil.exe
3640	wevtutil.exe
3560	wevtutil.exe
4920
4896	wevtutil.exe
2812	wevtutil.exe
3640	wevtutil.exe
3060
4436	wevtutil.exe
3832	wevtutil.exe
5076	wevtutil.exe
3636
2996	wevtutil.exe
4120	wevtutil.exe
3104	wevtutil.exe
2116	wevtutil.exe
3092	wevtutil.exe
4008

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1972	sc.exe
876	sc.exe
2044	sc.exe
4644	sc.exe
2968	sc.exe
1792	sc.exe
4064	sc.exe
2720	sc.exe
1944	sc.exe
2408	sc.exe
2948	sc.exe
4652	sc.exe
1944	sc.exe
3640	sc.exe
692	sc.exe
4792	sc.exe
1424	sc.exe
1816	sc.exe
1772	sc.exe
1672	sc.exe
2044	sc.exe
4844	sc.exe
4612	sc.exe
1460	sc.exe
2984	sc.exe
2340	sc.exe
2708	sc.exe
2008	sc.exe
1600	sc.exe
2448	sc.exe
3540	sc.exe
3692	sc.exe
2984	sc.exe
3184	sc.exe
1424	sc.exe
5104	sc.exe
2396	sc.exe
2980	sc.exe
3096	sc.exe
2132	sc.exe
1660	sc.exe
3100	sc.exe
2128	sc.exe
4924	sc.exe
3940	sc.exe
3956	sc.exe
4008	sc.exe
2396	sc.exe
2124	sc.exe
4988	sc.exe
968	sc.exe
304	sc.exe
1008	sc.exe
1476	sc.exe
2228	sc.exe
3640	sc.exe
284	sc.exe
1808	sc.exe
2448	sc.exe
216	sc.exe
4476	sc.exe
3884	sc.exe
3660	sc.exe
4540	sc.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3092 timeout.exe
2896 timeout.exe

pid	process
3092	timeout.exe
2896	timeout.exe

Interacts with shadow copies 2 TTPs 12 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
4824	vssadmin.exe
2972	vssadmin.exe
2804	vssadmin.exe
2496	vssadmin.exe
792	vssadmin.exe
1772	vssadmin.exe
4328	vssadmin.exe
3560	vssadmin.exe
2816	vssadmin.exe
1972	vssadmin.exe
1816	vssadmin.exe
1948	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe

pid process

1604 5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

pid	process
1604	5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe

C:\Users\Admin\AppData\Local\Temp\5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe
"C:\Users\Admin\AppData\Local\Temp\5994300c1c7d099bec13d2a6aec942a6a866966e9545773d3fbe26cc5e308da7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3816

C:\Windows\system32\sc.exe
sc start vss
1⤵
PID:3136

C:\Windows\system32\timeout.exe
timeout /T 5
1⤵
- Delays execution with timeout.exe
PID:3092

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\u.bat"
1⤵
PID:2516
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:792
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2816
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:1972
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1772
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4328
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=C: /on=C: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:3560
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:4824
- C:\Windows\system32\vssadmin.exe
  vssadmin resize shadowstorage /for=F: /on=F: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:2972
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=401MB
  2⤵
  - Interacts with shadow copies
  PID:2804
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe resize shadowstorage /for=F: /on=F: /maxsize=unbounded
  2⤵
  - Interacts with shadow copies
  PID:1816
- C:\Windows\system32\vssadmin.exe
  vssadmin Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:2496
- C:\Windows\System32\vssadmin.exe
  C:\Windows\System32\vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:1948
- C:\Windows\system32\sc.exe
  sc stop VSS
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c WEVTUTIL EL
  2⤵
  PID:2808
- - C:\Windows\system32\wevtutil.exe
    WEVTUTIL EL
    3⤵
    PID:3172
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "AMSI/Debug"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "AirSpaceChannel"
  2⤵
  PID:2056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Analytic"
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Application"
  2⤵
  PID:276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "DirectShowFilterGraph"
  2⤵
  - Clears Windows event logs
  PID:1008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Els_Hyphenation/Analytic"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "FirstUXPerf-Analytic"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "ForwardedEvents"
  2⤵
  PID:5080
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "HardwareEvents"
  2⤵
  PID:3168
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "General Logging"
  2⤵
  PID:2684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS-GPIO/Analytic"
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS-I2C/Analytic"
  2⤵
  PID:2408
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Debug"
  2⤵
  PID:4012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Internet Explorer"
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-I2C/Performance"
  2⤵
  PID:3576
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Key Management Service"
  2⤵
  PID:2868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MF_MediaFoundationDeviceMFT"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MedaFoundationVideoProc"
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationAsyncWrapper"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationContentProtection"
  2⤵
  PID:1656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationDeviceProxy"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPerformance"
  2⤵
  PID:2292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPerformanceCore"
  2⤵
  PID:2568
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client-Streamingux/Debug"
  2⤵
  PID:2056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Admin"
  2⤵
  PID:1656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationSrcPrefetch"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPlatform"
  2⤵
  PID:276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationPipeline"
  2⤵
  PID:3844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Debug"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Operational"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Admin"
  2⤵
  PID:2344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-AppV-SharedPerformance/Analytic"
  2⤵
  PID:2868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationMediaEngine"
  2⤵
  PID:3868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationMP4"
  2⤵
  PID:2684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MediaFoundationDS"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MedaFoundationVideoProcD3D"
  2⤵
  PID:1540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MF_MediaFoundationFrameServer"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "MF_MediaFoundationDeviceProxy"
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-OneCore-Setup/Analytic"
  2⤵
  PID:5000
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-JSDumpHeap/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-PerfTrack-IEFRAME/Diagnostic"
  2⤵
  PID:3432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-PerfTrack-MSHTML/Diagnostic"
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-IEFRAME/Diagnostic"
  2⤵
  PID:1188
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-IE/Diagnostic"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Diagnostic"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Client-Licensing-Platform/Debug"
  2⤵
  PID:2532
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-I2C/Debug"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Intel-iaLPSS2-GPIO2/Performance"
  2⤵
  - Clears Windows event logs
  PID:1656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "IHM_DebugChannel"
  2⤵
  PID:2128
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "EndpointMapper"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "DirectShowPluginControl"
  2⤵
  PID:1656
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:4084
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:2116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:4040
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AAD/Analytic"
  2⤵
  PID:3088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AAD/Operational"
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ADSI/Debug"
  2⤵
  PID:4700
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ASN1/Operational"
  2⤵
  PID:3788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ATAPort/SATA-LPM"
  2⤵
  PID:3296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-All-User-Install-Agent/Admin"
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AllJoyn/Debug"
  2⤵
  - Clears Windows event logs
  PID:4412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AllJoyn/Operational"
  2⤵
  PID:2708
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ActionQueue/Analytic"
  2⤵
  PID:2684
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/Admin"
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ATAPort/General"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/Diagnostic"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppID/Operational"
  2⤵
  PID:2968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/Internal"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppHost/ApplicationTracing"
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  PID:3168
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:4508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Admin"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Debug"
  2⤵
  PID:3172
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-State/Debug"
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-State/Diagnostic"
  2⤵
  PID:1264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppReadiness/Admin"
  2⤵
  - Clears Windows event logs
  PID:2996
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppReadiness/Debug"
  2⤵
  - Clears Windows event logs
  PID:2056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppReadiness/Operational"
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppSruProv"
  2⤵
  PID:3724
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Operational"
  2⤵
  PID:2732
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeployment/Diagnostic"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Diagnostics"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
  2⤵
  PID:4700
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Operational"
  2⤵
  PID:3692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Debug"
  2⤵
  - Clears Windows event logs
  PID:4120
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppModel-Runtime/Analytic"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppXDeploymentServer/Restricted"
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Analytic"
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ApplicabilityEngine/Operational"
  2⤵
  - Clears Windows event logs
  PID:4112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
  2⤵
  PID:1936
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
  2⤵
  PID:2840
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Inventory"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Program-Telemetry"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Application-Experience/Steps-Recorder"
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Debug"
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Operational"
  2⤵
  - Clears Windows event logs
  PID:2868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AppxPackaging/Performance"
  2⤵
  PID:4132
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Admin"
  2⤵
  PID:3612
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccess/Operational"
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Admin"
  2⤵
  - Clears Windows event logs
  PID:3092
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AsynchronousCausality/Causality"
  2⤵
  PID:1868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/CaptureMonitor"
  2⤵
  - Clears Windows event logs
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/GlitchDetection"
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/Informational"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/Operational"
  2⤵
  PID:1372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/Performance"
  2⤵
  PID:4216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audio/PlaybackManager"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Audit/Analytic"
  2⤵
  PID:3172
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
  2⤵
  PID:4652
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
  2⤵
  PID:2816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/HCI"
  2⤵
  PID:3844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
  2⤵
  PID:1344
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
  2⤵
  PID:2708
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Biometrics/Analytic"
  2⤵
  PID:4056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Biometrics/Operational"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
  2⤵
  - Clears Windows event logs
  PID:3576
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
  2⤵
  PID:1100
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bits-Client/Analytic"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bits-Client/Operational"
  2⤵
  PID:1372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
  2⤵
  PID:3312
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-Bthmini/Operational"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker/Tracing"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Bluetooth-Policy/Operational"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCache/Operational"
  2⤵
  PID:2832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Operational"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CAPI2/Operational"
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/ApartmentInitialize"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertPoleEng/Operational"
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
  2⤵
  PID:3060
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COMRuntime/Tracing"
  2⤵
  - Clears Windows event logs
  PID:2116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COMRuntime/MessageProcessing"
  2⤵
  - Clears Windows event logs
  PID:2288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Cleanmgr/Diagnostic"
  2⤵
  PID:1692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COMRuntime/Activations"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CloudStore/Debug"
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CloudStore/Operational"
  2⤵
  - Clears Windows event logs
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Operational"
  2⤵
  PID:1264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CodeIntegrity/Verbose"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Operational"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Compat-Appraiser/Analytic"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Operational"
  2⤵
  PID:4268
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Debug"
  2⤵
  PID:2144
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcifs/Operational"
  2⤵
  PID:3868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Operational"
  2⤵
  PID:1324
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-Wcnfs/Debug"
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreApplication/Operational"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreApplication/Diagnostic"
  2⤵
  PID:4924
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Containers-BindFlt/Debug"
  2⤵
  PID:3000
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreApplication/Tracing"
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
  2⤵
  PID:3620
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreWindow/Analytic"
  2⤵
  PID:3136
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crashdump/Operational"
  2⤵
  PID:4008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Operational"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-NCrypt/Operational"
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-RSAEnh/Analytic"
  2⤵
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Operational"
  2⤵
  PID:3100
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DAMM/Diagnostic"
  2⤵
  PID:1660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DDisplay/Logging"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DNS-Client/Operational"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Admin"
  2⤵
  PID:2808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DLNA-Namespace/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2980
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DDisplay/Analytic"
  2⤵
  PID:4648
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DCLocator/Debug"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Analytic"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Operational"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DSC/Debug"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DAL-Provider/Analytic"
  2⤵
  - Clears Windows event logs
  PID:4896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-D3D10Level9/PerfTiming"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-D3D10Level9/Analytic"
  2⤵
  PID:2052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DUI/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DXGI/Analytic"
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Data-Pdf/Debug"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/Admin"
  2⤵
  PID:4140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DXP/Analytic"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DXGI/Logging"
  2⤵
  PID:3452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DUSER/Diagnostic"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-RNG/Analytic"
  2⤵
  PID:864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DSSEnh/Analytic"
  2⤵
  PID:1744
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/Debug"
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-CNG/Analytic"
  2⤵
  PID:1860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Crypto-BCRYPT/Analytic"
  2⤵
  PID:4272
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CredUI/Diagnostic"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreWindow/Debug"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
  2⤵
  PID:4876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ComDlg32/Debug"
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ComDlg32/Analytic"
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CmiSetup/Analytic"
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/RundownInstrumentation"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/FreeUnusedLibrary"
  2⤵
  PID:5036
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/ExtensionCatalog"
  2⤵
  - Clears Windows event logs
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/CreateInstance"
  2⤵
  PID:2840
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/Call"
  2⤵
  PID:4412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/ApartmentUninitialize"
  2⤵
  PID:1704
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-COM/Analytic"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CDROM/Operational"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheSMB/Analytic"
  2⤵
  PID:952
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheMonitoring/Analytic"
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Battery/Diagnostic"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Backup"
  2⤵
  PID:2804
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHUSB/Performance"
  2⤵
  PID:380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-BTH-BTHPORT/L2CAP"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AxInstallService/Log"
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/ProtectedUser-Client"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
  2⤵
  - Clears Windows event logs
  PID:3320
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-AssignedAccessBroker/Operational"
  2⤵
  PID:2816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Debug"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Operational"
  2⤵
  PID:852
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DateTimeControlPanel/Analytic"
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Diagnostic"
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Operational"
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Deduplication/Scrubbing"
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Defrag-Core/Debug"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceConfidence/Analytic"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Operational"
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceGuard/Verbose"
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Admin"
  2⤵
  PID:4612
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Operational"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSync/Operational"
  2⤵
  PID:2060
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSync/Analytic"
  2⤵
  PID:2756
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Debug"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceSetupManager/Analytic"
  2⤵
  PID:4864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceUpdateAgent/Operational"
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceUx/Informational"
  2⤵
  - Clears Windows event logs
  PID:1328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Devices-Background/Operational"
  2⤵
  PID:2840
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceUx/Performance"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dhcp-Client/Admin"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dhcpv6-Client/Admin"
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiagCpl/Debug"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Debug"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Operational"
  2⤵
  - Clears Windows event logs
  PID:2896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PLA/Debug"
  2⤵
  - Clears Windows event logs
  PID:2812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
  2⤵
  PID:1264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scheduled/Operational"
  2⤵
  PID:4140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-PCW/Analytic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Admin"
  2⤵
  PID:2964
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-MSDE/Debug"
  2⤵
  PID:3060
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Operational"
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-DPS/Debug"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Analytic"
  2⤵
  PID:4824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-Scripted/Operational"
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
  2⤵
  PID:2408
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDC/Analytic"
  2⤵
  PID:3868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Debug"
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Networking/Operational"
  2⤵
  PID:2124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnosis-WDI/Debug"
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
  2⤵
  PID:1324
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Operational"
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D10_1/Analytic"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D11/Logging"
  2⤵
  PID:1372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D12/Analytic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D12/Logging"
  2⤵
  PID:4912
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Direct3D12/PerfTiming"
  2⤵
  PID:3092
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectComposition/Diagnostic"
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectShow-KernelSupport/Performance"
  2⤵
  - Clears Windows event logs
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectManipulation/Diagnostic"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DirectSound/Debug"
  2⤵
  PID:2052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiskDiagnostic/Operational"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
  2⤵
  PID:4396
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DiskDiagnosticResolver/Operational"
  2⤵
  PID:5012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dism-Api/Analytic"
  2⤵
  PID:4836
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dism-Cli/Analytic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dot3MM/Diagnostic"
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DucUpdateAgent/Operational"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
  2⤵
  PID:2808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Dwm/Diagnostic"
  2⤵
  PID:3692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Redir/Diagnostic"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Admin"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Udwm/Diagnostic"
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-Core/Diagnostic"
  2⤵
  PID:292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl-Operational"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Dwm-API/Diagnostic"
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Documents/Performance"
  2⤵
  - Clears Windows event logs
  PID:1944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DisplaySwitch/Diagnostic"
  2⤵
  PID:4412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxgKrnl/Diagnostic"
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EDP-Application-Learning/Admin"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EDP-Audit-Regular/Admin"
  2⤵
  PID:1264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EDP-Audit-TCB/Admin"
  2⤵
  PID:272
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapHost/Operational"
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-RasChap/Operational"
  2⤵
  PID:692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-RasTls/Operational"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-Sim/Operational"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EapMethods-Ttls/Operational"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
  2⤵
  - Clears Windows event logs
  PID:4504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventCollector/Debug"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventCollector/Operational"
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-EventLog/Debug"
  2⤵
  PID:1860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FMS/Debug"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FMS/Operational"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
  2⤵
  PID:1056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3092
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FMS/Analytic"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-ConfigManager/Debug"
  2⤵
  PID:2132
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Engine/BackupLog"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-EventListener/Debug"
  2⤵
  - Clears Windows event logs
  PID:3304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Analytic"
  2⤵
  PID:1944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Folder Redirection/Operational"
  2⤵
  PID:2288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Firewall-CPL/Diagnostic"
  2⤵
  PID:432
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Forwarding/Debug"
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Forwarding/Operational"
  2⤵
  PID:1856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-GenericRoaming/Admin"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-GPIO-ClassExtension/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileInfoMinifilter/Operational"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-UI-Events/Debug"
  2⤵
  - Clears Windows event logs
  PID:628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Debug"
  2⤵
  PID:4412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-GroupPolicy/Operational"
  2⤵
  PID:3452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-FileHistory-Service/Analytic"
  2⤵
  PID:2980
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HealthCenter/Debug"
  2⤵
  PID:380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HelloForBusiness/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Help/Operational"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Control Panel/Operational"
  2⤵
  PID:448
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Listener Service/Operational"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup Provider Service/Operational"
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HomeGroup-ListenerService"
  2⤵
  PID:2720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-HotspotAuth/Operational"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
  2⤵
  PID:1480
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
  2⤵
  PID:852
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
  2⤵
  PID:4504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Admin"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-VID-Analytic"
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IKE/Operational"
  2⤵
  PID:1972
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IE-SmartScreen"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
  2⤵
  PID:5072
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IKEDBG/Debug"
  2⤵
  PID:3312
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
  2⤵
  PID:1056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-KRTIP/Analytic"
  2⤵
  PID:4540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IME-TCCORE/Analytic"
  2⤵
  PID:1868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPNAT/Diagnostic"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Debug"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IPxlatCfg/Operational"
  2⤵
  PID:2044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IdCtrls/Analytic"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-IdCtrls/Operational"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Operational"
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Iphlpsvc/Trace"
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KdsSvc/Operational"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Acpi/Diagnostic"
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-AppCompat/Performance"
  2⤵
  PID:2948
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Operational"
  2⤵
  PID:1692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Debug"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Operational"
  2⤵
  PID:1264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Boot/Analytic"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
  2⤵
  PID:272
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-IO/Operational"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-LiveDump/Operational"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Network/Analytic"
  2⤵
  PID:852
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Power/Thermal-Operational"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-Process/Analytic"
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Analytic"
  2⤵
  PID:4084
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WDI/Operational"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Errors"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-WHEA/Operational"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Kernel-XDV/Analytic"
  2⤵
  PID:1100
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Admin"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-KeyboardFilter/Performance"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Known Folders API Service"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LSA/Diagnostic"
  2⤵
  PID:3844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Debug"
  2⤵
  PID:3588
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LanguagePackSetup/Operational"
  2⤵
  - Clears Windows event logs
  PID:4660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-LiveId/Operational"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Admin"
  2⤵
  PID:4012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MSPaint/Diagnostic"
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Analytic"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Operational"
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MUI/Debug"
  2⤵
  PID:4576
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Media-Streaming/MDE"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
  2⤵
  PID:4216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
  2⤵
  PID:3092
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
  2⤵
  - Clears Windows event logs
  PID:4612
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NCSI/Analytic"
  2⤵
  PID:3100
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NCSI/Operational"
  2⤵
  PID:5012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NDIS/Diagnostic"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NTLM/Operational"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Narrator/Diagnostic"
  2⤵
  PID:1100
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NcdAutoSetup/Operational"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NdisImPlatform/Operational"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Network-Connection-Broker"
  2⤵
  PID:3844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkLocationWizard/Operational"
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Diagnostic"
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProfile/Operational"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProvider/Operational"
  2⤵
  PID:4860
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Analytic"
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NetworkProvisioning/Operational"
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Networking-Correlation/Diagnostic"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-NlaSvc/Operational"
  2⤵
  PID:2720
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ntfs/Operational"
  2⤵
  PID:308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Ntfs/WHC"
  2⤵
  PID:3560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OLE/Clipboard-Performance"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OOBE-Machine-DUI/Operational"
  2⤵
  - Clears Windows event logs
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OcpUpdateAgent/Operational"
  2⤵
  PID:4504
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OfflineFiles/Operational"
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OfflineFiles/SyncLog"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OneX/Diagnostic"
  2⤵
  PID:4780
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OobeLdr/Analytic"
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-OtpCredentialProvider/Operational"
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PackageStateRoaming/Debug"
  2⤵
  - Clears Windows event logs
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ParentalControls/Operational"
  2⤵
  PID:1912
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Partition/Diagnostic"
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
  2⤵
  PID:3292
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PerceptionRuntime/Operational"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PerceptionSensorDataService/Operational"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
  2⤵
  PID:2756
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
  2⤵
  PID:296
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Policy/Operational"
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PowerShell/Operational"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrimaryNetworkIcon/Performance"
  2⤵
  PID:1264
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintBRM/Admin"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PrintService/Admin"
  2⤵
  PID:2988
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
  2⤵
  PID:3908
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-InProc/Debug"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Admin"
  2⤵
  PID:1372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-PushNotification-Platform/Operational"
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-QoS-qWAVE/Debug"
  2⤵
  PID:3092
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RPC/EEInfo"
  2⤵
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RadioManager/Analytic"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReFS/Operational"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReadyBoost/Analytic"
  2⤵
  PID:1868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ReadyBoostDriver/Operational"
  2⤵
  - Clears Windows event logs
  PID:4648
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Regsvr32/Operational"
  2⤵
  - Clears Windows event logs
  PID:1328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
  2⤵
  PID:1944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Admin"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Operational"
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteAssistance/Tracing"
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
  2⤵
  - Clears Windows event logs
  PID:5024
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
  2⤵
  PID:1856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4784
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ResetEng-Trace/Diagnostic"
  2⤵
  PID:3536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RestartManager/Operational"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RetailDemo/Admin"
  2⤵
  PID:3196
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-RetailDemo/Operational"
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Graphics/Analytic"
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Web-Http/Tracing"
  2⤵
  PID:2408
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
  2⤵
  PID:692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Runtime/CreateInstance"
  2⤵
  PID:2112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBClient/Operational"
  2⤵
  - Clears Windows event logs
  PID:4008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBDirect/Admin"
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBDirect/Netmon"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Audit"
  2⤵
  PID:1372
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Connectivity"
  2⤵
  PID:4216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Operational"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBServer/Security"
  2⤵
  PID:1056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Admin"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SMBWitnessClient/Informational"
  2⤵
  - Clears Windows event logs
  PID:3640
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Schannel-Events/Perf"
  2⤵
  PID:4864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sdstor/Analytic"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SearchUI/Operational"
  2⤵
  PID:2756
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SearchUI/Diagnostic"
  2⤵
  PID:1868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecureAssessment/Operational"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Adminless/Operational"
  2⤵
  PID:4648
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
  2⤵
  PID:1944
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
  2⤵
  PID:3412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/KernelMode"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Mitigations/UserMode"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-Netlogon/Operational"
  2⤵
  - Clears Windows event logs
  PID:824
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
  2⤵
  PID:3992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-SPP/Perf"
  2⤵
  PID:3536
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Security-UserConsentVerifier/Audit"
  2⤵
  PID:1704
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Admin"
  2⤵
  PID:1692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SecurityMitigationsBroker/Operational"
  2⤵
  PID:2004
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sensors/Performance"
  2⤵
  PID:3868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ServiceReportingApi/Debug"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Services/Diagnostic"
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Debug"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-Azure/Operational"
  2⤵
  PID:744
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Debug"
  2⤵
  PID:5028
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync-OneDrive/Operational"
  2⤵
  PID:4920
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync/Debug"
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SettingSync/Operational"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Setup/Analytic"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SetupPlatform/Analytic"
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SetupUGC/Analytic"
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
  2⤵
  PID:952
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
  2⤵
  PID:5060
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Core/AppDefaults"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shell-Shwebsvc"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
  2⤵
  - Clears Windows event logs
  PID:5024
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Shsvcs/Diagnostic"
  2⤵
  PID:2532
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-Audit/Authentication"
  2⤵
  PID:3452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
  2⤵
  PID:380
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
  2⤵
  PID:4660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
  2⤵
  PID:3060
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmbClient/Connectivity"
  2⤵
  PID:4140
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SmbClient/Security"
  2⤵
  PID:2128
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Speech-UserExperience/Diagnostic"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SpellChecker/Analytic"
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SrumTelemetry"
  2⤵
  PID:4012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Diagnostic"
  2⤵
  PID:3560
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Operational"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StateRepository/Restricted"
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorPort/Operational"
  2⤵
  PID:2584
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ATAPort/Analytic"
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-ClassPnP/Diagnose"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Admin"
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Disk/Diagnose"
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Health"
  2⤵
  PID:3100
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Storport/Operational"
  2⤵
  PID:4540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storage-Tiering/Admin"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageManagement/Operational"
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSettings/Diagnostic"
  2⤵
  PID:3016
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
  2⤵
  PID:2980
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Store/Operational"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Storsvc/Diagnostic"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Subsys-Csr/Operational"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Superfetch/Main"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Sysmon/Operational"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Superfetch/StoreLog"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SystemSettingsHandlers/Debug"
  2⤵
  PID:4552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-SystemSettingsThreshold/Operational"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TCPIP/Operational"
  2⤵
  PID:272
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TSF-msutb/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TWinAPI/Diagnostic"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TWinUI/Operational"
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TZSync/Operational"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TZUtil/Operational"
  2⤵
  PID:3508
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TaskScheduler/Maintenance"
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
  2⤵
  - Clears Windows event logs
  PID:1712
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
  2⤵
  PID:2664
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
  2⤵
  PID:2028
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
  2⤵
  PID:3228
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
  2⤵
  PID:1300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
  2⤵
  PID:2632
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Admin"
  2⤵
  PID:4396
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Debug"
  2⤵
  PID:4836
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-Printers/Operational"
  2⤵
  PID:5060
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Debug"
  2⤵
  PID:1660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RDPClient/Operational"
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
  2⤵
  PID:2808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
  2⤵
  PID:2288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
  2⤵
  PID:3844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Tethering-Manager/Analytic"
  2⤵
  PID:1468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ThemeUI/Diagnostic"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Time-Service/Operational"
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Troubleshooting-Recommended/Operational"
  2⤵
  PID:4552
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UAC-FileVirtualization/Operational"
  2⤵
  PID:992
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UAC/Operational"
  2⤵
  PID:2128
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIAnimation/Diagnostic"
  2⤵
  PID:5104
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UIAutomationCore/Perf"
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-MAUSBHOST-Analytic"
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBHUB3-Analytic"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
  2⤵
  PID:2112
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Control Panel Performance/Diagnostic"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Control Panel/Diagnostic"
  2⤵
  PID:4008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Device Registration/Admin"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User Profile Service/Operational"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-User-Loader/Operational"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserAccountControl/Diagnostic"
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/ActionCenter"
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/DeviceInstall"
  2⤵
  PID:4620
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UserPnp/Performance"
  2⤵
  PID:2052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-UxInit/Diagnostic"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VHDMP-Operational"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VPN-Client/Operational"
  2⤵
  PID:3088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VPN/Operational"
  2⤵
  PID:4412
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VerifyHardwareSecurity/Admin"
  2⤵
  PID:2340
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Volume/Diagnostic"
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WEPHOSTSVC/Operational"
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WER-PayloadHealth/Operational"
  2⤵
  PID:1856
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WFP/Operational"
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-AutoConfig/Operational"
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Operational"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WMI-Activity/Trace"
  2⤵
  PID:1692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WMPNSS-Service/Operational"
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WPD-ClassInstaller/Operational"
  2⤵
  PID:288
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
  2⤵
  PID:1480
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WPD-MTPBT/Analytic"
  2⤵
  PID:2184
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WPD-MTPClassDriver/Operational"
  2⤵
  PID:2396
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WPD-MTPUS/Analytic"
  2⤵
  PID:5072
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WWAN-CFE/Diagnostic"
  2⤵
  PID:284
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Wcmsvc/Operational"
  2⤵
  PID:1012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Wcmsvc/Diagnostic"
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WebAuthN/Operational"
  2⤵
  PID:1056
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Win32k/Operational"
  2⤵
  PID:1660
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Win32k/Messages"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WinHttp/Diagnostic"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WinINet-Config/ProxyConfigChanged"
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WinINet/WebSocket"
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WinRM/Debug"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WinURLMon/Analytic"
  2⤵
  PID:1320
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
  2⤵
  PID:1704
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
  2⤵
  PID:448
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WindowsColorSystem/Debug"
  2⤵
  PID:2988
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Winlogon/Operational"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Winsock-NameResolution/Operational"
  2⤵
  PID:4008
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Wired-AutoConfig/Operational"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-Wordpad/Admin"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-WorkFolders/Operational"
  2⤵
  PID:1012
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-XAML-Diagnostics/Default"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-glcnd/Debug"
  2⤵
  PID:3088
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-ntshrui"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-Windows-wmbclass/Trace"
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel"
  2⤵
  PID:3452
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Microsoft-WindowsPhone-LocationServiceProvider/Debug"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Network Isolation Operational"
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "OAlerts"
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "OfficeDebugChannel"
  2⤵
  PID:308
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "OpenSSH/Operational"
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "PlayReadyPerformanceChannel"
  2⤵
  PID:5036
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Security"
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Setup"
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "SmbWmiAnalytic"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "SystemEventsBroker"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "TimeBroker"
  2⤵
  PID:1868
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Uac/Debug"
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_MP4SDECD_CHANNEL"
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WMPSyncEngine"
  2⤵
  PID:1856
- C:\Windows\system32\sc.exe
  sc stop "ScreenConnect Client (4359c1fc603a46cf)"
  2⤵
  PID:4860
- C:\Windows\system32\sc.exe
  sc stop "BitLicenseServer_16"
  2⤵
  - Launches sc.exe
  PID:3184
- C:\Windows\system32\sc.exe
  sc stop "LogMeIn"
  2⤵
  PID:2124
- C:\Windows\system32\sc.exe
  sc stop "JTB FlexReport Auto Service"
  2⤵
  - Launches sc.exe
  PID:2396
- C:\Windows\system32\sc.exe
  sc stop "JTB FlexReport Sampling Service"
  2⤵
  PID:4504
- C:\Windows\system32\sc.exe
  sc stop "EventLog"
  2⤵
  PID:2028
- C:\Windows\system32\sc.exe
  sc stop "LMS"
  2⤵
  PID:1912
- C:\Windows\system32\sc.exe
  sc stop "JavaQuickStarterService"
  2⤵
  - Launches sc.exe
  PID:1792
- C:\Windows\system32\sc.exe
  sc stop "vmicguestinterface"
  2⤵
  PID:5008
- C:\Windows\system32\sc.exe
  sc stop "SQLSERVERAGENT"
  2⤵
  PID:628
- C:\Windows\system32\sc.exe
  sc stop "MsDtsServer130"
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc stop "SQLAgent$VEEAMSQL2012"
  2⤵
  PID:4660
- C:\Windows\system32\sc.exe
  sc stop "SQLTELEMETRY$HL"
  2⤵
  - Launches sc.exe
  PID:1816
- C:\Windows\system32\sc.exe
  sc stop "MSSQL$PROGID"
  2⤵
  PID:4140
- C:\Windows\system32\sc.exe
  sc stop "MSSQLFDLauncher$OPTIMA"
  2⤵
  - Launches sc.exe
  PID:4792
- C:\Windows\system32\sc.exe
  sc stop "ReportServer$OPTIMA"
  2⤵
  PID:308
- C:\Windows\system32\sc.exe
  sc stop AmazonSSMAgent
  2⤵
  - Launches sc.exe
  PID:4924
- C:\Windows\system32\sc.exe
  sc stop SQLTELEMETRY
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc stop Wrmserv
  2⤵
  - Launches sc.exe
  PID:3660
- C:\Windows\system32\sc.exe
  sc stop MSExchangeHMRecovery
  2⤵
  - Launches sc.exe
  PID:1460
- C:\Windows\system32\sc.exe
  sc stop MSExchangeMailboxAssistants
  2⤵
  - Launches sc.exe
  PID:1660
- C:\Windows\system32\sc.exe
  sc stop MSExchangePop3
  2⤵
  - Launches sc.exe
  PID:2980
- C:\Windows\system32\sc.exe
  sc stop MSExchangeServiceHost
  2⤵
  PID:1812
- C:\Windows\system32\sc.exe
  sc stop MSExchangeTransportLogSearch
  2⤵
  PID:380
- C:\Windows\system32\sc.exe
  sc stop vmickvpexchange
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc stop ShadowProtectSvc
  2⤵
  PID:4140
- C:\Windows\system32\sc.exe
  sc stop QBVSS
  2⤵
  PID:4072
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB2
  2⤵
  - Launches sc.exe
  PID:692
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB5
  2⤵
  PID:3384
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB9
  2⤵
  PID:4008
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB12
  2⤵
  PID:2228
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB15
  2⤵
  PID:4200
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB21
  2⤵
  - Launches sc.exe
  PID:4652
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB23
  2⤵
  PID:4644
- C:\Windows\system32\sc.exe
  sc stop ekrn
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc stop ClickToRunSvc
  2⤵
  PID:964
- C:\Windows\system32\sc.exe
  sc stop MacriumService
  2⤵
  PID:2448
- C:\Windows\system32\sc.exe
  sc stop FileOpenManagerSvc
  2⤵
  PID:2568
- C:\Windows\system32\sc.exe
  sc stop aspnet_state
  2⤵
  PID:3692
- C:\Windows\system32\sc.exe
  sc stop OracleOraDb11g_home1ClrAgent
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc stop AcronisZmqGw
  2⤵
  PID:3716
- C:\Windows\system32\sc.exe
  sc stop Tomcat8Testing
  2⤵
  PID:4552
- C:\Windows\system32\sc.exe
  sc stop MSSQLSERVER
  2⤵
  PID:2184
- C:\Windows\system32\sc.exe
  sc stop MSSQLServerADHelper100
  2⤵
  PID:2300
- C:\Windows\system32\sc.exe
  sc stop SQLAgent$ISARS
  2⤵
  - Launches sc.exe
  PID:1972
- C:\Windows\system32\sc.exe
  sc stop SQLWriter
  2⤵
  - Launches sc.exe
  PID:3640
- C:\Windows\system32\sc.exe
  sc stop MySQL55
  2⤵
  PID:3140
- C:\Windows\system32\sc.exe
  sc stop MSSQL$CRMVIEW
  2⤵
  PID:2860
- C:\Windows\system32\sc.exe
  sc stop ReportServer$SQL
  2⤵
  PID:5076
- C:\Windows\system32\sc.exe
  sc stop WindowsAzureTelemetryService
  2⤵
  PID:4660
- C:\Windows\system32\sc.exe
  sc stop MSExchangeFDS
  2⤵
  PID:4596
- C:\Windows\system32\sc.exe
  sc stop MSExchangeProtectedServiceHost
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc stop VeeamCloudSvc
  2⤵
  - Launches sc.exe
  PID:284
- C:\Windows\system32\sc.exe
  sc stop VeeamTransportSvc
  2⤵
  PID:1012
- C:\Windows\system32\sc.exe
  sc stop MSCRMAsyncService
  2⤵
  PID:4084
- C:\Windows\system32\sc.exe
  sc stop MSCRMUnzipService
  2⤵
  PID:3536
- C:\Windows\system32\sc.exe
  sc stop SentinelKeysServer
  2⤵
  - Launches sc.exe
  PID:2448
- C:\Windows\system32\sc.exe
  sc stop psqlWGE
  2⤵
  PID:432
- C:\Windows\system32\sc.exe
  sc stop Citrix EUEM
  2⤵
  PID:5096
- C:\Windows\system32\sc.exe
  sc stop CitrixAnalytics
  2⤵
  PID:1704
- C:\Windows\system32\sc.exe
  sc stop CitrixConfigSyncService
  2⤵
  PID:5104
- C:\Windows\system32\sc.exe
  sc stop CitrixConnector
  2⤵
  - Launches sc.exe
  PID:2984
- C:\Windows\system32\sc.exe
  sc stop CitrixDelegatedAdmin
  2⤵
  PID:2968
- C:\Windows\system32\sc.exe
  sc stop CitrixHostService
  2⤵
  PID:2412
- C:\Windows\system32\sc.exe
  sc stop CitrixOrchestration
  2⤵
  - Launches sc.exe
  PID:1772
- C:\Windows\system32\sc.exe
  sc stop CitrixRedirector
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc stop CitrixSubscriptionsStore
  2⤵
  PID:3452
- C:\Windows\system32\sc.exe
  sc stop CitrixWebServicesforLicensing
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc stop CtxFlashSvc
  2⤵
  PID:4920
- C:\Windows\system32\sc.exe
  sc stop CtxMultiTouchSvc
  2⤵
  PID:3140
- C:\Windows\system32\sc.exe
  sc stop CtxSmartCardSvc
  2⤵
  PID:4776
- C:\Windows\system32\sc.exe
  sc stop CtxUvi
  2⤵
  PID:4624
- C:\Windows\system32\sc.exe
  sc stop picapar
  2⤵
  PID:3080
- C:\Windows\system32\sc.exe
  sc stop VSS
  2⤵
  PID:3312
- C:\Windows\system32\sc.exe
  sc stop "Sophos AutoUpdate Service"
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc stop "Sophos Anti-Virus"
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc stop picavc
  2⤵
  PID:1820
- C:\Windows\system32\sc.exe
  sc stop picaser
  2⤵
  PID:1816
- C:\Windows\system32\sc.exe
  sc stop picadm
  2⤵
  PID:4660
- C:\Windows\system32\sc.exe
  sc stop icausbb
  2⤵
  - Launches sc.exe
  PID:2948
- C:\Windows\system32\sc.exe
  sc stop ctxusbm
  2⤵
  - Launches sc.exe
  PID:876
- C:\Windows\system32\sc.exe
  sc stop ctxsmcdrv
  2⤵
  PID:3412
- C:\Windows\system32\sc.exe
  sc stop CtxSensVcSvc
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc stop ctxProfile
  2⤵
  PID:4248
- C:\Windows\system32\sc.exe
  sc stop CtxLSPortSvc
  2⤵
  PID:1424
- C:\Windows\system32\sc.exe
  sc stop CtxHdxWebSocketService
  2⤵
  PID:4780
- C:\Windows\system32\sc.exe
  sc stop CtxAudioSvc
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc stop Citrix_GTLicensingProv
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc stop CitrixTrust
  2⤵
  PID:1820
- C:\Windows\system32\sc.exe
  sc stop CitrixTelemetryService
  2⤵
  PID:1816
- C:\Windows\system32\sc.exe
  sc stop CitrixStorefront
  2⤵
  PID:2336
- C:\Windows\system32\sc.exe
  sc stop CitrixServiceMonitor
  2⤵
  PID:292
- C:\Windows\system32\sc.exe
  sc stop CitrixPrivilegedService
  2⤵
  PID:1876
- C:\Windows\system32\sc.exe
  sc stop CitrixMonitor
  2⤵
  PID:1488
- C:\Windows\system32\sc.exe
  sc stop CitrixMachineCreationService
  2⤵
  PID:5060
- C:\Windows\system32\sc.exe
  sc stop CitrixHighAvailabilityService
  2⤵
  PID:4216
- C:\Windows\system32\sc.exe
  sc stop CitrixEnvTest
  2⤵
  - Launches sc.exe
  PID:1424
- C:\Windows\system32\sc.exe
  sc stop CitrixDefaultDomainService
  2⤵
  - Launches sc.exe
  PID:3940
- C:\Windows\system32\sc.exe
  sc stop CitrixCseEngine
  2⤵
  PID:4468
- C:\Windows\system32\sc.exe
  sc stop CitrixCredentialWallet
  2⤵
  - Launches sc.exe
  PID:4064
- C:\Windows\system32\sc.exe
  sc stop CitrixConfigurationService
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc stop CitrixConfigurationReplication
  2⤵
  PID:2300
- C:\Windows\system32\sc.exe
  sc stop CitrixConfigurationLogging
  2⤵
  PID:1324
- C:\Windows\system32\sc.exe
  sc stop CitrixClusterService
  2⤵
  PID:1908
- C:\Windows\system32\sc.exe
  sc stop CitrixBrokerService
  2⤵
  PID:2128
- C:\Windows\system32\sc.exe
  sc stop CitrixAppLibrary
  2⤵
  PID:1816
- C:\Windows\system32\sc.exe
  sc stop CitrixADIdentityService
  2⤵
  - Launches sc.exe
  PID:3540
- C:\Windows\system32\sc.exe
  sc stop Citrix Peer Resolution Service
  2⤵
  PID:3992
- C:\Windows\system32\sc.exe
  sc stop Citrix Licensing
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc stop Citrix Encryption Service
  2⤵
  PID:4832
- C:\Windows\system32\sc.exe
  sc stop MSSQLFDLauncher$SBSMONITORING
  2⤵
  - Launches sc.exe
  PID:3692
- C:\Windows\system32\sc.exe
  sc stop MSSQL$SBSMONITORING
  2⤵
  - Launches sc.exe
  PID:2044
- C:\Windows\system32\sc.exe
  sc stop SentinelSecurityRuntime
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\system32\sc.exe
  sc stop SentinelProtectionServer
  2⤵
  PID:1660
- C:\Windows\system32\sc.exe
  sc stop MSCRMSandboxService
  2⤵
  PID:4308
- C:\Windows\system32\sc.exe
  sc stop MSCRMMonitoringService
  2⤵
  PID:2588
- C:\Windows\system32\sc.exe
  sc stop MSCRMAsyncService$maintenance
  2⤵
  PID:3120
- C:\Windows\system32\sc.exe
  sc stop msftesql-Exchange
  2⤵
  PID:5012
- C:\Windows\system32\sc.exe
  sc stop FileZilla Server
  2⤵
  PID:324
- C:\Windows\system32\sc.exe
  sc stop VeeamNFSSvc
  2⤵
  PID:3492
- C:\Windows\system32\sc.exe
  sc stop VeeamMountSvc
  2⤵
  PID:1476
- C:\Windows\system32\sc.exe
  sc stop VeeamDeploySvc
  2⤵
  PID:2920
- C:\Windows\system32\sc.exe
  sc stop VeeamCatalogSvc
  2⤵
  PID:2396
- C:\Windows\system32\sc.exe
  sc stop MSExchangeSearch
  2⤵
  PID:3212
- C:\Windows\system32\sc.exe
  sc stop MSExchangeMonitoring
  2⤵
  PID:1928
- C:\Windows\system32\sc.exe
  sc stop MSExchangeMailSubmission
  2⤵
  - Launches sc.exe
  PID:5104
- C:\Windows\system32\sc.exe
  sc stop MSExchangeAB
  2⤵
  PID:3184
- C:\Windows\system32\sc.exe
  sc stop Backupper Service
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc stop OracleServiceINFAORCL
  2⤵
  - Launches sc.exe
  PID:1808
- C:\Windows\system32\sc.exe
  sc stop OracleOraDb11g_home1TNSListener
  2⤵
  - Launches sc.exe
  PID:3956
- C:\Windows\system32\sc.exe
  sc stop MSOLAP$SQL
  2⤵
  PID:2044
- C:\Windows\system32\sc.exe
  sc stop MSDTC
  2⤵
  PID:1328
- C:\Windows\system32\sc.exe
  sc stop MsDtsServer100
  2⤵
  - Launches sc.exe
  PID:2448
- C:\Windows\system32\sc.exe
  sc stop MSSQLLaunchpad$SQLEXPRESS
  2⤵
  PID:3016
- C:\Windows\system32\sc.exe
  sc stop MSSQL$CRMVIEW2
  2⤵
  PID:1772
- C:\Windows\system32\sc.exe
  sc stop MySQL
  2⤵
  PID:4788
- C:\Windows\system32\sc.exe
  sc stop ReportServer
  2⤵
  PID:4844
- C:\Windows\system32\sc.exe
  sc stop MSSQLServerOLAPService
  2⤵
  - Launches sc.exe
  PID:216
- C:\Windows\system32\sc.exe
  sc stop ReportServer$ISARS
  2⤵
  PID:4460
- C:\Windows\system32\sc.exe
  sc stop SQLAgent$MSFW
  2⤵
  PID:5068
- C:\Windows\system32\sc.exe
  sc stop MSSQL$MSFW
  2⤵
  - Launches sc.exe
  PID:4008
- C:\Windows\system32\sc.exe
  sc stop MSSQL$ISARS
  2⤵
  - Launches sc.exe
  PID:2984
- C:\Windows\system32\sc.exe
  sc stop SQLBrowser
  2⤵
  PID:2452
- C:\Windows\system32\sc.exe
  sc stop SQLSERVERAGENT
  2⤵
  PID:1324
- C:\Windows\system32\sc.exe
  sc stop SQLServerReportingServices
  2⤵
  PID:3560
- C:\Windows\system32\sc.exe
  sc stop MSSQLFDLauncher
  2⤵
  PID:2708
- C:\Windows\system32\sc.exe
  sc stop QBFCService
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc stop VisualSVNServer
  2⤵
  PID:1908
- C:\Windows\system32\sc.exe
  sc stop Tomcat9
  2⤵
  PID:2004
- C:\Windows\system32\sc.exe
  sc stop AcronisAgent
  2⤵
  - Launches sc.exe
  PID:2720
- C:\Windows\system32\sc.exe
  sc stop AcronisMonitoringService
  2⤵
  PID:992
- C:\Windows\system32\sc.exe
  sc stop AcrSch2Svc
  2⤵
  PID:4824
- C:\Windows\system32\sc.exe
  sc stop AcronisActiveProtectionService
  2⤵
  PID:3060
- C:\Windows\system32\sc.exe
  sc stop tvnserver
  2⤵
  - Launches sc.exe
  PID:1008
- C:\Windows\system32\sc.exe
  sc stop Check_MK_Agent
  2⤵
  PID:1068
- C:\Windows\system32\sc.exe
  sc stop OracleMTSRecoveryService
  2⤵
  - Launches sc.exe
  PID:1672
- C:\Windows\system32\sc.exe
  sc stop BASupportExpressSrvcUpdater_N_Central
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc stop BASupportExpressStandaloneService_N_Central
  2⤵
  PID:2532
- C:\Windows\system32\sc.exe
  sc stop DPMRA
  2⤵
  PID:292
- C:\Windows\system32\sc.exe
  sc stop DpmCPWrapperService
  2⤵
  PID:2864
- C:\Windows\system32\sc.exe
  sc stop DPMClientService
  2⤵
  PID:876
- C:\Windows\system32\sc.exe
  sc stop hMailServer
  2⤵
  - Launches sc.exe
  PID:2340
- C:\Windows\system32\sc.exe
  sc stop NGCLIENT
  2⤵
  PID:1500
- C:\Windows\system32\sc.exe
  sc stop FirebirdServersgsSFBServer
  2⤵
  - Launches sc.exe
  PID:3096
- C:\Windows\system32\sc.exe
  sc stop FirebirdGuardiansgsSFBServer
  2⤵
  PID:4412
- C:\Windows\system32\sc.exe
  sc stop SageEvolutionEcommService
  2⤵
  - Launches sc.exe
  PID:304
- C:\Windows\system32\sc.exe
  sc stop ekrnEpfw
  2⤵
  PID:3536
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB25
  2⤵
  PID:3100
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB24
  2⤵
  - Launches sc.exe
  PID:2132
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB22
  2⤵
  PID:2412
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB20
  2⤵
  PID:324
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB19
  2⤵
  PID:1012
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB18
  2⤵
  PID:1424
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB17
  2⤵
  - Launches sc.exe
  PID:4476
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB16
  2⤵
  PID:1656
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB14
  2⤵
  PID:2920
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB13
  2⤵
  PID:2968
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB11
  2⤵
  PID:1712
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB10
  2⤵
  PID:4600
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB8
  2⤵
  PID:5072
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB7
  2⤵
  - Launches sc.exe
  PID:2124
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB6
  2⤵
  PID:412
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB4
  2⤵
  PID:1324
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB3
  2⤵
  PID:4548
- C:\Windows\system32\sc.exe
  sc stop QuickBooksDB1
  2⤵
  - Launches sc.exe
  PID:2708
- C:\Windows\system32\sc.exe
  sc stop QBPOSDBServiceV12
  2⤵
  PID:3816
- C:\Windows\system32\sc.exe
  sc stop QBCFMonitorService
  2⤵
  - Launches sc.exe
  PID:3884
- C:\Windows\system32\sc.exe
  sc stop firebirdguardiandefaultinstance
  2⤵
  PID:4436
- C:\Windows\system32\sc.exe
  sc stop IISADMIN
  2⤵
  PID:3080
- C:\Windows\system32\sc.exe
  sc stop MSExchangeSA
  2⤵
  PID:272
- C:\Windows\system32\sc.exe
  sc stop MSExchangeFBA
  2⤵
  PID:4988
- C:\Windows\system32\sc.exe
  sc stop wsbexchange
  2⤵
  PID:4784
- C:\Windows\system32\sc.exe
  sc stop SearchExchangeTracing
  2⤵
  PID:956
- C:\Windows\system32\sc.exe
  sc stop MSExchangeUMCR
  2⤵
  PID:2948
- C:\Windows\system32\sc.exe
  sc stop MSExchangeUM
  2⤵
  PID:1008
- C:\Windows\system32\sc.exe
  sc stop MSExchangeTransport
  2⤵
  PID:3588
- C:\Windows\system32\sc.exe
  sc stop MSExchangeThrottling
  2⤵
  PID:2856
- C:\Windows\system32\sc.exe
  sc stop MSExchangeSubmission
  2⤵
  PID:1468
- C:\Windows\system32\sc.exe
  sc stop MSExchangeRPC
  2⤵
  PID:5076
- C:\Windows\system32\sc.exe
  sc stop MSExchangeRepl
  2⤵
  PID:2116
- C:\Windows\system32\sc.exe
  sc stop MSExchangePOP3BE
  2⤵
  PID:880
- C:\Windows\system32\sc.exe
  sc stop MSExchangeNotificationsBroker
  2⤵
  - Launches sc.exe
  PID:2044
- C:\Windows\system32\sc.exe
  sc stop MSExchangeMailboxReplication
  2⤵
  PID:4948
- C:\Windows\system32\sc.exe
  sc stop MSExchangeIS
  2⤵
  PID:3096
- C:\Windows\system32\sc.exe
  sc stop MSExchangeIMAP4BE
  2⤵
  PID:5008
- C:\Windows\system32\sc.exe
  sc stop MSExchangeImap4
  2⤵
  - Launches sc.exe
  PID:2008
- C:\Windows\system32\sc.exe
  sc stop MSExchangeHM
  2⤵
  PID:2492
- C:\Windows\system32\sc.exe
  sc stop MSExchangeFrontEndTransport
  2⤵
  - Launches sc.exe
  PID:4540
- C:\Windows\system32\sc.exe
  sc stop MSExchangeFastSearch
  2⤵
  - Launches sc.exe
  PID:4844
- C:\Windows\system32\sc.exe
  sc stop MSExchangeEdgeSync
  2⤵
  - Launches sc.exe
  PID:3100
- C:\Windows\system32\sc.exe
  sc stop MSExchangeDiagnostics
  2⤵
  PID:2132
- C:\Windows\system32\sc.exe
  sc stop MSExchangeDelivery
  2⤵
  PID:4396
- C:\Windows\system32\sc.exe
  sc stop MSExchangeDagMgmt
  2⤵
  PID:2412
- C:\Windows\system32\sc.exe
  sc stop MSExchangeCompliance
  2⤵
  PID:4652
- C:\Windows\system32\sc.exe
  sc stop MSExchangeAntispamUpdate
  2⤵
  PID:324
- C:\Windows\system32\sc.exe
  sc stop MSExchangeADTopology
  2⤵
  PID:1012
- C:\Windows\system32\sc.exe
  sc stop MSComplianceAudit
  2⤵
  PID:4668
- C:\Windows\system32\sc.exe
  sc stop EcuRemote
  2⤵
  - Launches sc.exe
  PID:1476
- C:\Windows\system32\sc.exe
  sc stop Stxhd.HostAgents.HAService
  2⤵
  PID:4780
- C:\Windows\system32\sc.exe
  sc stop SkyLightWorkspaceConfigService
  2⤵
  PID:2968
- C:\Windows\system32\sc.exe
  sc stop SolarWindsAgent64
  2⤵
  PID:2228
- C:\Windows\system32\sc.exe
  sc stop PCoIPAgent
  2⤵
  PID:4504
- C:\Windows\system32\sc.exe
  sc stop PCoIPArbiterService
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc stop PCoIPPrintingSvc
  2⤵
  PID:1976
- C:\Windows\system32\sc.exe
  sc stop OfficeSvc
  2⤵
  - Launches sc.exe
  PID:2396
- C:\Windows\system32\sc.exe
  sc stop SQLTELEMETRY$SQLEXPRESS
  2⤵
  PID:288
- C:\Windows\system32\sc.exe
  sc stop FirebirdServerDefaultInstance
  2⤵
  PID:3384
- C:\Windows\system32\sc.exe
  sc stop SecurityHealthService
  2⤵
  PID:1480
- C:\Windows\system32\sc.exe
  sc stop "postgresql-x64-9.4"
  2⤵
  PID:1928
- C:\Windows\system32\sc.exe
  sc stop "msftesql$SQLEXPRESS"
  2⤵
  PID:552
- C:\Windows\system32\sc.exe
  sc stop "SQLAgent$OPTIMA"
  2⤵
  PID:1216
- C:\Windows\system32\sc.exe
  sc stop "MSSQL$OPTIMA"
  2⤵
  PID:1908
- C:\Windows\system32\sc.exe
  sc stop "SQLAgent$WOLTERSKLUWER"
  2⤵
  PID:3028
- C:\Windows\system32\sc.exe
  sc stop "SQLAgent$PROGID"
  2⤵
  PID:2544
- C:\Windows\system32\sc.exe
  sc stop "MSSQL$WOLTERSKLUWER"
  2⤵
  PID:4552
- C:\Windows\system32\sc.exe
  sc stop "TMBMServer"
  2⤵
  - Launches sc.exe
  PID:2128
- C:\Windows\system32\sc.exe
  sc stop "ReportServer"
  2⤵
  - Launches sc.exe
  PID:4988
- C:\Windows\system32\sc.exe
  sc stop "MsDtsServer100"
  2⤵
  PID:2812
- C:\Windows\system32\sc.exe
  sc stop "MSSQLServerOLAPService"
  2⤵
  PID:3716
- C:\Windows\system32\sc.exe
  sc stop "MSSQLServerADHelper100"
  2⤵
  PID:1320
- C:\Windows\system32\sc.exe
  sc stop "SQLAgent"
  2⤵
  PID:956
- C:\Windows\system32\sc.exe
  sc stop "MSSQL"
  2⤵
  - Launches sc.exe
  PID:968
- C:\Windows\system32\sc.exe
  sc stop "MSSQL$VEEAMSQL2012"
  2⤵
  PID:1008
- C:\Windows\system32\sc.exe
  sc stop "SQLWriter"
  2⤵
  PID:1808
- C:\Windows\system32\sc.exe
  sc stop "SSISTELEMETRY130"
  2⤵
  PID:3476
- C:\Windows\system32\sc.exe
  sc stop "SQLTELEMETRY"
  2⤵
  PID:3692
- C:\Windows\system32\sc.exe
  sc stop "SQLBrowser"
  2⤵
  PID:1812
- C:\Windows\system32\sc.exe
  sc stop "MSSQLSERVER"
  2⤵
  PID:2288
- C:\Windows\system32\sc.exe
  sc stop "MSSQLFDLauncher"
  2⤵
  - Launches sc.exe
  PID:1944
- C:\Windows\system32\sc.exe
  sc stop "vmicvss"
  2⤵
  PID:2980
- C:\Windows\system32\sc.exe
  sc stop "vmictimesync"
  2⤵
  PID:4068
- C:\Windows\system32\sc.exe
  sc stop "vmicrdv"
  2⤵
  PID:3088
- C:\Windows\system32\sc.exe
  sc stop "vmicheartbeat"
  2⤵
  - Launches sc.exe
  PID:1600
- C:\Windows\system32\sc.exe
  sc stop "vmicshutdown"
  2⤵
  PID:4384
- C:\Windows\system32\sc.exe
  sc stop "vmickvpexchange"
  2⤵
  PID:304
- C:\Windows\system32\sc.exe
  sc stop "WinDefend"
  2⤵
  PID:3536
- C:\Windows\system32\sc.exe
  sc stop "ERSvc"
  2⤵
  PID:964
- C:\Windows\system32\sc.exe
  sc stop "TeamViewer"
  2⤵
  PID:3292
- C:\Windows\system32\sc.exe
  sc stop "Intel(R) PROSet Monitoring Service"
  2⤵
  PID:216
- C:\Windows\system32\sc.exe
  sc stop "PDFProFiltSrvPP"
  2⤵
  - Launches sc.exe
  PID:4644
- C:\Windows\system32\sc.exe
  sc stop "SENS"
  2⤵
  - Launches sc.exe
  PID:4612
- C:\Windows\system32\sc.exe
  sc stop "wscsvc"
  2⤵
  - Launches sc.exe
  PID:3640
- C:\Windows\system32\sc.exe
  sc stop "MBAMService"
  2⤵
  PID:324
- C:\Windows\system32\sc.exe
  sc stop "MsMpEng"
  2⤵
  - Launches sc.exe
  PID:1424
- C:\Windows\system32\sc.exe
  sc stop "TrueKeyServiceHelper"
  2⤵
  PID:4512
- C:\Windows\system32\sc.exe
  sc stop "RapidRecoveryCore"
  2⤵
  PID:1656
- C:\Windows\system32\sc.exe
  sc stop "LTSvcMon"
  2⤵
  PID:4200
- C:\Windows\system32\sc.exe
  sc stop "LTService"
  2⤵
  PID:2920
- C:\Windows\system32\sc.exe
  sc stop "LMIGuardianSvc"
  2⤵
  PID:4780
- C:\Windows\system32\sc.exe
  sc stop "CryptoPreventMonSvc"
  2⤵
  - Launches sc.exe
  PID:2968
- C:\Windows\system32\sc.exe
  sc stop "CryptoPreventFolderWatch"
  2⤵
  - Launches sc.exe
  PID:2228
- C:\Windows\system32\sc.exe
  sc stop "JTB FlexReport Report Service"
  2⤵
  PID:4556
- C:\Windows\system32\sc.exe
  sc stop "JTB FlexReport Core Service"
  2⤵
  PID:4272
- C:\Windows\system32\sc.exe
  sc stop "VRLService"
  2⤵
  PID:3508
- C:\Windows\system32\sc.exe
  sc stop "Undelete"
  2⤵
  - Launches sc.exe
  PID:2408
- C:\Windows\system32\sc.exe
  sc stop "TDService"
  2⤵
  PID:4388
- C:\Windows\system32\sc.exe
  sc stop "sd5"
  2⤵
  PID:2012
- C:\Windows\system32\sc.exe
  sc stop "hasplms"
  2⤵
  PID:1908
- C:\Windows\system32\sc.exe
  sc stop "Apache2.2"
  2⤵
  PID:448
- C:\Windows\system32\sc.exe
  sc stop "1C:Enterprise 8.3 Server Agent"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "muxencode"
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WordChannel"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Windows PowerShell"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Windows Networking Vpn Plugin Platform/OperationalVerbose"
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Windows Networking Vpn Plugin Platform/Operational"
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WMPSetup"
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_wmvdecod_CHANNEL"
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_WMPHOTO_CHANNEL"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_VC1ENC_CHANNEL"
  2⤵
  PID:3692
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_MSMPEG2VDEC_CHANNEL"
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_MSMPEG2ADEC_CHANNEL"
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_MFH264Enc_CHANNEL"
  2⤵
  PID:880
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "WINDOWS_KS_CHANNEL"
  2⤵
  PID:2044
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "UIManager_Channel"
  2⤵
  PID:2568
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "TabletPC_InputPanel_Channel/IHM"
  2⤵
  PID:2756
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "TabletPC_InputPanel_Channel"
  2⤵
  PID:304
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "System"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "SMSApi"
  2⤵
  PID:2920
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "RTWorkQueueTheading"
  2⤵
  PID:2968
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "RTWorkQueueExtended"
  2⤵
  PID:2960
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "Physical_Keyboard_Manager_Channel"
  2⤵
  PID:300
- C:\Windows\system32\wevtutil.exe
  WEVTUTIL CL "OpenSSH/Debug"
  2⤵
  - Clears Windows event logs
  PID:3560

C:\Windows\SYSTEM32\cmd.exe
C:\Windows\SYSTEM32\cmd.exe /c "c:\windows\temp\u.bat"
1⤵
PID:2544
- C:\Windows\system32\sc.exe
  sc start vss
  2⤵
  PID:4624
- C:\Windows\system32\timeout.exe
  timeout /T 5
  2⤵
  - Delays execution with timeout.exe
  PID:2896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\temp\u.bat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit