ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

1e56e3201f99af1f63c3b95b6d05d64f
SHA1

f5d32ac198ed52ded940ff5fffb1f513bb2b607f
SHA256

b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
SHA512

36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
SSDEEP

24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

Score

9^/10

discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
50076	wevtutil.exe
49904	wevtutil.exe
58256	wevtutil.exe
110436	wevtutil.exe
50124	wevtutil.exe
65984	wevtutil.exe
5984	wevtutil.exe
5984	wevtutil.exe
110564	wevtutil.exe
16928	wevtutil.exe
45988	wevtutil.exe
50100	wevtutil.exe
58124	wevtutil.exe
106096	wevtutil.exe
110252	wevtutil.exe
6220	wevtutil.exe
5560	wevtutil.exe
50028	wevtutil.exe
50464	wevtutil.exe
50936	wevtutil.exe
58160	wevtutil.exe
94148	wevtutil.exe
106108	wevtutil.exe
112432	wevtutil.exe
41868	wevtutil.exe
41968	wevtutil.exe
46068	wevtutil.exe
50152	wevtutil.exe
50144	wevtutil.exe
94060	wevtutil.exe
111084	wevtutil.exe
114168	wevtutil.exe
6416	wevtutil.exe
5620	wevtutil.exe
53976	wevtutil.exe
58496	wevtutil.exe
5788	wevtutil.exe
27888	wevtutil.exe
53936	wevtutil.exe
53988	wevtutil.exe
114104	wevtutil.exe
50164	wevtutil.exe
53300	wevtutil.exe
54196	wevtutil.exe
94096	wevtutil.exe
94084	wevtutil.exe
114388	wevtutil.exe
58184	wevtutil.exe
58244	wevtutil.exe
94172	wevtutil.exe
94084	wevtutil.exe
49188	wevtutil.exe
94084	wevtutil.exe
94160	wevtutil.exe
91016	wevtutil.exe
110156	wevtutil.exe
114396	wevtutil.exe
6428	wevtutil.exe
5652	wevtutil.exe
46048	wevtutil.exe
49932	wevtutil.exe
49968	wevtutil.exe
114252	wevtutil.exe
114300	wevtutil.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	svchost.exe
File opened for modification	\??\c:\windows\logg.bat	svchost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2084	sc.exe
133084	sc.exe
133112	sc.exe
2808	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2728	vssadmin.exe
2868	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3068	svchost.exe
3068	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe
2740	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	svchost.exe
Token: SeRestorePrivilege	3068	svchost.exe
Token: SeBackupPrivilege	3068	svchost.exe
Token: SeTakeOwnershipPrivilege	3068	svchost.exe
Token: SeBackupPrivilege	3068	svchost.exe
Token: SeAuditPrivilege	3068	svchost.exe
Token: SeSecurityPrivilege	3068	svchost.exe
Token: SeSecurityPrivilege	5568	wevtutil.exe
Token: SeBackupPrivilege	5568	wevtutil.exe
Token: SeBackupPrivilege	5588	vssvc.exe
Token: SeRestorePrivilege	5588	vssvc.exe
Token: SeAuditPrivilege	5588	vssvc.exe
Token: SeSecurityPrivilege	5620	wevtutil.exe
Token: SeBackupPrivilege	5620	wevtutil.exe
Token: SeSecurityPrivilege	5652	wevtutil.exe
Token: SeBackupPrivilege	5652	wevtutil.exe
Token: SeSecurityPrivilege	5700	wevtutil.exe
Token: SeBackupPrivilege	5700	wevtutil.exe
Token: SeSecurityPrivilege	5716	wevtutil.exe
Token: SeBackupPrivilege	5716	wevtutil.exe
Token: SeSecurityPrivilege	5740	wevtutil.exe
Token: SeBackupPrivilege	5740	wevtutil.exe
Token: SeSecurityPrivilege	5752	wevtutil.exe
Token: SeBackupPrivilege	5752	wevtutil.exe
Token: SeSecurityPrivilege	5764	wevtutil.exe
Token: SeBackupPrivilege	5764	wevtutil.exe
Token: SeSecurityPrivilege	5776	wevtutil.exe
Token: SeBackupPrivilege	5776	wevtutil.exe
Token: SeSecurityPrivilege	5788	wevtutil.exe
Token: SeBackupPrivilege	5788	wevtutil.exe
Token: SeSecurityPrivilege	5804	wevtutil.exe
Token: SeBackupPrivilege	5804	wevtutil.exe
Token: SeSecurityPrivilege	5816	wevtutil.exe
Token: SeBackupPrivilege	5816	wevtutil.exe
Token: SeSecurityPrivilege	5828	wevtutil.exe
Token: SeBackupPrivilege	5828	wevtutil.exe
Token: SeSecurityPrivilege	5840	wevtutil.exe
Token: SeBackupPrivilege	5840	wevtutil.exe
Token: SeSecurityPrivilege	5852	wevtutil.exe
Token: SeBackupPrivilege	5852	wevtutil.exe
Token: SeSecurityPrivilege	5872	wevtutil.exe
Token: SeBackupPrivilege	5872	wevtutil.exe
Token: SeSecurityPrivilege	5884	wevtutil.exe
Token: SeBackupPrivilege	5884	wevtutil.exe
Token: SeSecurityPrivilege	5900	wevtutil.exe
Token: SeBackupPrivilege	5900	wevtutil.exe
Token: SeSecurityPrivilege	5916	wevtutil.exe
Token: SeBackupPrivilege	5916	wevtutil.exe
Token: SeSecurityPrivilege	5928	wevtutil.exe
Token: SeBackupPrivilege	5928	wevtutil.exe
Token: SeSecurityPrivilege	5940	wevtutil.exe
Token: SeBackupPrivilege	5940	wevtutil.exe
Token: SeSecurityPrivilege	5952	wevtutil.exe
Token: SeBackupPrivilege	5952	wevtutil.exe
Token: SeSecurityPrivilege	5968	wevtutil.exe
Token: SeBackupPrivilege	5968	wevtutil.exe
Token: SeSecurityPrivilege	5984	wevtutil.exe
Token: SeBackupPrivilege	5984	wevtutil.exe
Token: SeSecurityPrivilege	5996	wevtutil.exe
Token: SeBackupPrivilege	5996	wevtutil.exe
Token: SeSecurityPrivilege	6008	wevtutil.exe
Token: SeBackupPrivilege	6008	wevtutil.exe
Token: SeSecurityPrivilege	13684	wevtutil.exe
Token: SeBackupPrivilege	13684	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2084	3068	svchost.exe	30
PID 3068 wrote to memory of 2084	3068	svchost.exe	30
PID 3068 wrote to memory of 2084	3068	svchost.exe	30
PID 3068 wrote to memory of 2696	3068	svchost.exe	31
PID 3068 wrote to memory of 2696	3068	svchost.exe	31
PID 3068 wrote to memory of 2696	3068	svchost.exe	31
PID 3068 wrote to memory of 2728	3068	svchost.exe	32
PID 3068 wrote to memory of 2728	3068	svchost.exe	32
PID 3068 wrote to memory of 2728	3068	svchost.exe	32
PID 2696 wrote to memory of 5552	2696	cmd.exe	35
PID 2696 wrote to memory of 5552	2696	cmd.exe	35
PID 2696 wrote to memory of 5552	2696	cmd.exe	35
PID 5552 wrote to memory of 5568	5552	cmd.exe	36
PID 5552 wrote to memory of 5568	5552	cmd.exe	36
PID 5552 wrote to memory of 5568	5552	cmd.exe	36
PID 2696 wrote to memory of 5620	2696	cmd.exe	38
PID 2696 wrote to memory of 5620	2696	cmd.exe	38
PID 2696 wrote to memory of 5620	2696	cmd.exe	38
PID 2696 wrote to memory of 5652	2696	cmd.exe	39
PID 2696 wrote to memory of 5652	2696	cmd.exe	39
PID 2696 wrote to memory of 5652	2696	cmd.exe	39
PID 2696 wrote to memory of 5700	2696	cmd.exe	41
PID 2696 wrote to memory of 5700	2696	cmd.exe	41
PID 2696 wrote to memory of 5700	2696	cmd.exe	41
PID 2696 wrote to memory of 5716	2696	cmd.exe	42
PID 2696 wrote to memory of 5716	2696	cmd.exe	42
PID 2696 wrote to memory of 5716	2696	cmd.exe	42
PID 2696 wrote to memory of 5740	2696	cmd.exe	43
PID 2696 wrote to memory of 5740	2696	cmd.exe	43
PID 2696 wrote to memory of 5740	2696	cmd.exe	43
PID 2696 wrote to memory of 5752	2696	cmd.exe	44
PID 2696 wrote to memory of 5752	2696	cmd.exe	44
PID 2696 wrote to memory of 5752	2696	cmd.exe	44
PID 2696 wrote to memory of 5764	2696	cmd.exe	45
PID 2696 wrote to memory of 5764	2696	cmd.exe	45
PID 2696 wrote to memory of 5764	2696	cmd.exe	45
PID 2696 wrote to memory of 5776	2696	cmd.exe	46
PID 2696 wrote to memory of 5776	2696	cmd.exe	46
PID 2696 wrote to memory of 5776	2696	cmd.exe	46
PID 2696 wrote to memory of 5788	2696	cmd.exe	47
PID 2696 wrote to memory of 5788	2696	cmd.exe	47
PID 2696 wrote to memory of 5788	2696	cmd.exe	47
PID 2696 wrote to memory of 5804	2696	cmd.exe	48
PID 2696 wrote to memory of 5804	2696	cmd.exe	48
PID 2696 wrote to memory of 5804	2696	cmd.exe	48
PID 2696 wrote to memory of 5816	2696	cmd.exe	49
PID 2696 wrote to memory of 5816	2696	cmd.exe	49
PID 2696 wrote to memory of 5816	2696	cmd.exe	49
PID 2696 wrote to memory of 5828	2696	cmd.exe	50
PID 2696 wrote to memory of 5828	2696	cmd.exe	50
PID 2696 wrote to memory of 5828	2696	cmd.exe	50
PID 2696 wrote to memory of 5840	2696	cmd.exe	51
PID 2696 wrote to memory of 5840	2696	cmd.exe	51
PID 2696 wrote to memory of 5840	2696	cmd.exe	51
PID 2696 wrote to memory of 5852	2696	cmd.exe	52
PID 2696 wrote to memory of 5852	2696	cmd.exe	52
PID 2696 wrote to memory of 5852	2696	cmd.exe	52
PID 2696 wrote to memory of 5872	2696	cmd.exe	53
PID 2696 wrote to memory of 5872	2696	cmd.exe	53
PID 2696 wrote to memory of 5872	2696	cmd.exe	53
PID 2696 wrote to memory of 5884	2696	cmd.exe	54
PID 2696 wrote to memory of 5884	2696	cmd.exe	54
PID 2696 wrote to memory of 5884	2696	cmd.exe	54
PID 2696 wrote to memory of 5900	2696	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:2084
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      PID:5700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Media"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:13684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:13696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:13708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:13720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:13732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:13752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:13764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:13776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:13788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:13800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:13812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:13824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:16928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:17704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:17720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:17736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:17748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:17764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:17776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:21724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:21736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:21748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:21760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:21772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    - Clears Windows event logs
    PID:27888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:28236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:37816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:41848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:41868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:41912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    - Clears Windows event logs
    PID:41968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:41980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:37824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:41848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:41868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:41912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:38432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:37816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:42020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:42668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:42956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:43668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:44212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:45032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:45648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:45960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:45972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    - Clears Windows event logs
    PID:45988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:46004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:46016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:46028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:46044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:46056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    - Clears Windows event logs
    PID:46068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:44732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:45904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:41968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:45960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:45972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:45988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:46004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:46016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:46036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    - Clears Windows event logs
    PID:46048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:46060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:46076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:45160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:45648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:45968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:45980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:5580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:45984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:5560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:46012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:46024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:46032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:46052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:46064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:46072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:45032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:45036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:45904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:45976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:45992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:45996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:5540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:5564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:45988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:46004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:45976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:46604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:47444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:48096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:48492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    - Clears Windows event logs
    PID:49188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:49692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:49908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:49920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    - Clears Windows event logs
    PID:49932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:49944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:49956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    - Clears Windows event logs
    PID:49968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:49980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:49992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:50004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:50016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:50028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:50040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:50052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:50064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    - Clears Windows event logs
    PID:50076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:50088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:50100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:50112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:50124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:50136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:50152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:50164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:49192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:49900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:49916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:49928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:49940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:49952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:49964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:49976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:49988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:50000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:50024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:50012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:50036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:50048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    - Clears Windows event logs
    PID:49904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:50052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:50064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:50076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    PID:50088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    - Clears Windows event logs
    PID:50100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:50112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:50124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:50136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    - Clears Windows event logs
    PID:50152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:49188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:49692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:49912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:49920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:49932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:49944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:49956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:49968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:49980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:49992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:50004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:50016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    - Clears Windows event logs
    PID:50028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:50040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:50056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:50068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:50080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International/Operational"
    3⤵
    - Clears Windows event logs
    PID:50144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:50076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:50088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:49928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:50096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:49924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:50648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:50476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:50464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    - Clears Windows event logs
    PID:50936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:51164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:51176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:51704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:51848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:51964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:52220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:52520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:52428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:52904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:53104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    - Clears Windows event logs
    PID:53300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:53092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:53312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:53632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:53936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:53948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    - Clears Windows event logs
    PID:53976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    - Clears Windows event logs
    PID:53988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:54000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:54012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:54024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:54036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:54048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:54060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:54072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:54084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:54096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:54108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:54120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:54132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:54144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:54160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:54172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:54184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    - Clears Windows event logs
    PID:54196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:54208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:54220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:54232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:54244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:54256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:54268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:53308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:53320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:53636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:53944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:53972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:53984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:53996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:54008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:54020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:54032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:54044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:54056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:54068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:54080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:54908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:57308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:57532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:57940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:57952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:57964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:57976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:57988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:58000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:58012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:58024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:58036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:58048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:58060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:58072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:58084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:58096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:58112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    - Clears Windows event logs
    PID:58124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:58136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:58148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:58160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:58172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:58184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:58196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:58208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:58220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:58232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    - Clears Windows event logs
    PID:58244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    - Clears Windows event logs
    PID:58256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:58268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:58280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:58292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:58304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:58316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:58328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:58340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:58352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:58364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:57308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:57948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:57956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    - Clears Windows event logs
    PID:58496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:58508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    - Clears Windows event logs
    PID:65984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:73968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:73980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:73996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:77988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:78000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:78016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:81984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:86008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:86000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:90016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:90028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:90040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:90052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:94036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:94048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:94060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:94072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:94084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:94096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:94108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:94124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:94136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:94148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:94160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:94172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:94184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:94196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:91016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:90052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:94036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:94048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:94060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:94072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:94084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:94096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:94108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:94124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:94136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:94148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:94160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:94172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:94184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:94196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:91016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:90052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:94036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:94048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    - Clears Windows event logs
    PID:94060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:94072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:94084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:94096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:94108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:94124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:94136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:94148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    - Clears Windows event logs
    PID:94160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:94172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:94184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:94196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:91016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:90052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:94156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:90052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:94156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:95032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:95704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:96112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:96468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:98048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:98060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:98076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:98088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:98100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:98112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:98124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:98136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    - Clears Windows event logs
    PID:106096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    - Clears Windows event logs
    PID:106108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:106120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:110096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:110108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:110120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:110132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:110144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    - Clears Windows event logs
    PID:110156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:110168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:110180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:110192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:110204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:110216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:110228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:110240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    - Clears Windows event logs
    PID:110252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:110344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    - Clears Windows event logs
    PID:110436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:110464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:110476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:110552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:110184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:110772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    - Clears Windows event logs
    PID:111084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:111096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:111332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:111344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:111752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:111764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:111876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:112432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:112912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:113420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:114092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:114104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:114116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:114128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:114140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:114152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:114164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:114176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:114188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:114200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:114212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:114228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:114240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:114252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:114264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:114276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:114288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:114300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:114312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:114324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:114336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:114348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:114360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:114372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:114384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:114396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:114408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:114420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:114432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:114444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:114456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:114468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:114480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:114492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:114504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:114516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:114528
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:114540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:114552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:114564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:114576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:114588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:114600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:114612
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:114624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:114636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:114648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:114660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:114672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:114684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:114100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:114112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:114124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:114136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    - Clears Windows event logs
    PID:110564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:114144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:114160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:114168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:114180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:114192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:114204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:114216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:114232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:114244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:114260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:114268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:114284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:114292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:114304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:114316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:114328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "OAlerts"
    3⤵
    PID:114340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Security"
    3⤵
    PID:114352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Setup"
    3⤵
    PID:114364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "System"
    3⤵
    PID:114376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "TabletPC_InputPanel_Channel"
    3⤵
    - Clears Windows event logs
    PID:114388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:114396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:114408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:114420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSetup"
    3⤵
    PID:114432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSyncEngine"
    3⤵
    PID:114444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Windows"
    3⤵
    PID:114544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:114656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "muxencode"
    3⤵
    PID:114384
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2728
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" delete defser
  2⤵
  - Launches sc.exe
  PID:133084
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:133112
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" start defser
  2⤵
  - Launches sc.exe
  PID:2808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2740
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2868
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    PID:5720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    PID:5760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DebugChannel"
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    PID:5880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    PID:5888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    PID:5856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    PID:5844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    PID:5836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    PID:5808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    PID:5916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    PID:5956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    PID:6148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    PID:5996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    PID:6160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:6172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:6184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:6220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:6244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:6256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:6232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:6208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:6196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    PID:5984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Media"
    3⤵
    PID:5800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:6292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:6320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:6332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:6400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    - Clears Windows event logs
    PID:6416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    - Clears Windows event logs
    PID:6428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:6440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:6488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:6500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:10544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:14612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil el
1⤵
PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\res\st

Filesize
14B

MD5
f4bfd795a8c2874236f751664437aec0

SHA1
cf985b4afeb3743128020a72868683cbb2673064

SHA256
6457e01a13a6b6319578322a1c67b19e82054474108f5bbebc9805068bfb8b81

SHA512
4268acdc55c4f6119bd0935858b9f3ca6e9163a2898c52dccdd261091f052bb80a3bebb09c7cadbe84a05c70f3fd3cc8a9adeb41c6663ebbc824e79834cab55e

Download Submit
F:\Ranger3X\12264550804s

Filesize
2KB

MD5
d685460c46677efbad39661a3ec2914e

SHA1
59f1395ede86a1bc7e75b0648d25544a0e7e27b2

SHA256
85af038b0b2dff434d436c9d8bc50c3a64be2584b1072ab91118b091f4aec00f

SHA512
71218ecacb2ad6b4d0f9fda20d82d543977f3482af7923f81eced1c8a4acdb1a86f05b195131e287b22378afb6d868745aa55f87ff712e5e97ae1652641a9748

Download Submit
F:\Ranger3X\13092707759o

Filesize
2KB

MD5
50a25234646c00bba6de01006e710800

SHA1
1d66f76f37dc0326353b9624e3934f3be390dfe8

SHA256
e447b53be643c76bf22de94711b568832df67a1f8f037c4b130d90a8aee498c2

SHA512
67a06af377e53074f5aaafa86712c4c3e54b449dd2334aab2dee49e96d51ddb672cb1461a17dcee395b3a0182d3ebd498e30d00e6c2d55676a077aeb29c1e731

Download Submit
F:\Ranger3X\13092707759o

Filesize
4KB

MD5
a2c740686f1ca52f4a2634665826cda8

SHA1
599979173fead9c1641af6b1948b97c36a79d8b8

SHA256
f25c8a2bd33949635bc6997c67bf23d9579e6a93286905543611f22a9aba5d39

SHA512
88233e3ed42fee759217dc0543825b5f4bc3dcbd7c500ef545b2dd676ec522dd8e1755ca0c650bda780188c439efc43aeafb703e1ddced54d164860f2cacb7bb

Download Submit
\??\c:\programdata\res\hds

Filesize
20B

MD5
d4fccf75314d07d54a5ce1e4864aabeb

SHA1
a620e8437b5f320838d2b6ad6441fca8d442140b

SHA256
03f80e151c85ffe6787f9c15bcc02d23d77cb726434fc9a2b1b4f4a6de2df24c

SHA512
62f86626b4daef264078291d51a441eea93b0ae74eb162ae7cb8fbeff2c8323a6ab285f118433d4ea0f564b68475e42e13d03317ec6d3b8fd36a0965853d3543

Download Submit
\??\c:\users\admin\appdata\local\temp\mscore.dll

Filesize
558B

MD5
1a79a5a4b50f902ec488618a063b4eb1

SHA1
21893362a4d68a10fdcc4dcdbbead807c5fc0167

SHA256
9f640c504680f00fc0f3538f360ff7ed0d0299b2f747730c478382359553e3be

SHA512
9a9369ea8a70ac1d22b2872bc75ef69aedc6a56da9199eb52b9ce80acbfd4445fae322f8e222e03cebfc30142bea2f9450b02e18ceec5a38129ffb558a26dedc

Download Submit
\??\c:\windows\logg.bat

Filesize
50B

MD5
837f9483a4d9fb834d75537beb1c9488

SHA1
7421df5e92fbd2ef04eac5ede4397e4b87a3b7c2

SHA256
ec64e2a730d0e32ff61a98f34ffdda69ea172234f8f432b95766e38c0f898e2d

SHA512
37aa585177f560cd8d7b60303e820a7fa08f1a73d5fb79a6bae1f2c14e11d0f2d573059eb4e5c4bccb5021b336531d1eb3076a357b75a02c56570585a271cc69

Download Submit