ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 14:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

1e56e3201f99af1f63c3b95b6d05d64f
SHA1

f5d32ac198ed52ded940ff5fffb1f513bb2b607f
SHA256

b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
SHA512

36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
SSDEEP

24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
8044	wevtutil.exe
12280	wevtutil.exe
60192	wevtutil.exe
60376	wevtutil.exe
122100	wevtutil.exe
13588	Process not Found
232	wevtutil.exe
44328	wevtutil.exe
52216	wevtutil.exe
124456	Process not Found
72336	wevtutil.exe
116176	wevtutil.exe
124296	Process not Found
124532	Process not Found
8820	Process not Found
8040	wevtutil.exe
12104	wevtutil.exe
68224	wevtutil.exe
68344	wevtutil.exe
72208	wevtutil.exe
72508	wevtutil.exe
112580	wevtutil.exe
12220	wevtutil.exe
71560	wevtutil.exe
112248	wevtutil.exe
120636	wevtutil.exe
128624	Process not Found
8660	Process not Found
12168	wevtutil.exe
72408	wevtutil.exe
116240	wevtutil.exe
18448	Process not Found
12160	wevtutil.exe
12276	wevtutil.exe
15540	wevtutil.exe
20352	wevtutil.exe
64380	wevtutil.exe
64324	wevtutil.exe
100168	wevtutil.exe
18480	Process not Found
20368	wevtutil.exe
64232	wevtutil.exe
100012	wevtutil.exe
124720	Process not Found
124360	Process not Found
13948	Process not Found
124816	Process not Found
64212	wevtutil.exe
61172	wevtutil.exe
71852	wevtutil.exe
72192	wevtutil.exe
114984	wevtutil.exe
122704	wevtutil.exe
124376	Process not Found
8576	Process not Found
108212	wevtutil.exe
119136	wevtutil.exe
120236	wevtutil.exe
128316	Process not Found
7604	wevtutil.exe
12112	wevtutil.exe
80036	wevtutil.exe
122516	wevtutil.exe
126568	Process not Found

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2398549320-3657759451-817663969-1000\desktop.ini	Process not Found

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\f:	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	svchost.exe
File opened for modification	\??\c:\windows\logg.bat	Process not Found

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4076	sc.exe
135108	Process not Found
135156	Process not Found
3796	Process not Found

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
4932	vssadmin.exe
1832	Process not Found

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1136	svchost.exe
1136	svchost.exe
1136	svchost.exe
928	Process not Found
928	Process not Found
928	Process not Found
928	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1136	svchost.exe
Token: SeRestorePrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeTakeOwnershipPrivilege	1136	svchost.exe
Token: SeBackupPrivilege	1136	svchost.exe
Token: SeAuditPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	1136	svchost.exe
Token: SeSecurityPrivilege	7908	wevtutil.exe
Token: SeBackupPrivilege	7908	wevtutil.exe
Token: SeBackupPrivilege	7896	vssvc.exe
Token: SeRestorePrivilege	7896	vssvc.exe
Token: SeAuditPrivilege	7896	vssvc.exe
Token: SeSecurityPrivilege	7984	wevtutil.exe
Token: SeBackupPrivilege	7984	wevtutil.exe
Token: SeSecurityPrivilege	8044	wevtutil.exe
Token: SeBackupPrivilege	8044	wevtutil.exe
Token: SeSecurityPrivilege	8104	wevtutil.exe
Token: SeBackupPrivilege	8104	wevtutil.exe
Token: SeSecurityPrivilege	8188	wevtutil.exe
Token: SeBackupPrivilege	8188	wevtutil.exe
Token: SeSecurityPrivilege	7876	wevtutil.exe
Token: SeBackupPrivilege	7876	wevtutil.exe
Token: SeSecurityPrivilege	7984	wevtutil.exe
Token: SeBackupPrivilege	7984	wevtutil.exe
Token: SeSecurityPrivilege	8040	wevtutil.exe
Token: SeBackupPrivilege	8040	wevtutil.exe
Token: SeSecurityPrivilege	8148	wevtutil.exe
Token: SeBackupPrivilege	8148	wevtutil.exe
Token: SeSecurityPrivilege	292	wevtutil.exe
Token: SeBackupPrivilege	292	wevtutil.exe
Token: SeSecurityPrivilege	7884	wevtutil.exe
Token: SeBackupPrivilege	7884	wevtutil.exe
Token: SeSecurityPrivilege	7604	wevtutil.exe
Token: SeBackupPrivilege	7604	wevtutil.exe
Token: SeSecurityPrivilege	3212	wevtutil.exe
Token: SeBackupPrivilege	3212	wevtutil.exe
Token: SeSecurityPrivilege	7876	wevtutil.exe
Token: SeBackupPrivilege	7876	wevtutil.exe
Token: SeSecurityPrivilege	8048	wevtutil.exe
Token: SeBackupPrivilege	8048	wevtutil.exe
Token: SeSecurityPrivilege	8108	wevtutil.exe
Token: SeBackupPrivilege	8108	wevtutil.exe
Token: SeSecurityPrivilege	276	wevtutil.exe
Token: SeBackupPrivilege	276	wevtutil.exe
Token: SeSecurityPrivilege	300	wevtutil.exe
Token: SeBackupPrivilege	300	wevtutil.exe
Token: SeSecurityPrivilege	7848	wevtutil.exe
Token: SeBackupPrivilege	7848	wevtutil.exe
Token: SeSecurityPrivilege	7828	wevtutil.exe
Token: SeBackupPrivilege	7828	wevtutil.exe
Token: SeSecurityPrivilege	7944	wevtutil.exe
Token: SeBackupPrivilege	7944	wevtutil.exe
Token: SeSecurityPrivilege	8060	wevtutil.exe
Token: SeBackupPrivilege	8060	wevtutil.exe
Token: SeSecurityPrivilege	8104	wevtutil.exe
Token: SeBackupPrivilege	8104	wevtutil.exe
Token: SeSecurityPrivilege	280	wevtutil.exe
Token: SeBackupPrivilege	280	wevtutil.exe
Token: SeSecurityPrivilege	304	wevtutil.exe
Token: SeBackupPrivilege	304	wevtutil.exe
Token: SeSecurityPrivilege	4880	wevtutil.exe
Token: SeBackupPrivilege	4880	wevtutil.exe
Token: SeSecurityPrivilege	3012	wevtutil.exe
Token: SeBackupPrivilege	3012	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 4076	1136	svchost.exe	86
PID 1136 wrote to memory of 4076	1136	svchost.exe	86
PID 1136 wrote to memory of 4664	1136	svchost.exe	97
PID 1136 wrote to memory of 4664	1136	svchost.exe	97
PID 1136 wrote to memory of 4932	1136	svchost.exe	94
PID 1136 wrote to memory of 4932	1136	svchost.exe	94
PID 4664 wrote to memory of 7876	4664	cmd.exe	98
PID 4664 wrote to memory of 7876	4664	cmd.exe	98
PID 7876 wrote to memory of 7908	7876	cmd.exe	100
PID 7876 wrote to memory of 7908	7876	cmd.exe	100
PID 4664 wrote to memory of 7984	4664	cmd.exe	102
PID 4664 wrote to memory of 7984	4664	cmd.exe	102
PID 4664 wrote to memory of 8044	4664	cmd.exe	104
PID 4664 wrote to memory of 8044	4664	cmd.exe	104
PID 4664 wrote to memory of 8104	4664	cmd.exe	105
PID 4664 wrote to memory of 8104	4664	cmd.exe	105
PID 4664 wrote to memory of 8188	4664	cmd.exe	107
PID 4664 wrote to memory of 8188	4664	cmd.exe	107
PID 4664 wrote to memory of 7876	4664	cmd.exe	116
PID 4664 wrote to memory of 7876	4664	cmd.exe	116
PID 4664 wrote to memory of 7984	4664	cmd.exe	109
PID 4664 wrote to memory of 7984	4664	cmd.exe	109
PID 4664 wrote to memory of 8040	4664	cmd.exe	110
PID 4664 wrote to memory of 8040	4664	cmd.exe	110
PID 4664 wrote to memory of 8148	4664	cmd.exe	111
PID 4664 wrote to memory of 8148	4664	cmd.exe	111
PID 4664 wrote to memory of 292	4664	cmd.exe	112
PID 4664 wrote to memory of 292	4664	cmd.exe	112
PID 4664 wrote to memory of 7884	4664	cmd.exe	113
PID 4664 wrote to memory of 7884	4664	cmd.exe	113
PID 4664 wrote to memory of 7604	4664	cmd.exe	114
PID 4664 wrote to memory of 7604	4664	cmd.exe	114
PID 4664 wrote to memory of 3212	4664	cmd.exe	115
PID 4664 wrote to memory of 3212	4664	cmd.exe	115
PID 4664 wrote to memory of 7876	4664	cmd.exe	116
PID 4664 wrote to memory of 7876	4664	cmd.exe	116
PID 4664 wrote to memory of 8048	4664	cmd.exe	117
PID 4664 wrote to memory of 8048	4664	cmd.exe	117
PID 4664 wrote to memory of 8108	4664	cmd.exe	118
PID 4664 wrote to memory of 8108	4664	cmd.exe	118
PID 4664 wrote to memory of 276	4664	cmd.exe	119
PID 4664 wrote to memory of 276	4664	cmd.exe	119
PID 4664 wrote to memory of 300	4664	cmd.exe	120
PID 4664 wrote to memory of 300	4664	cmd.exe	120
PID 4664 wrote to memory of 7848	4664	cmd.exe	121
PID 4664 wrote to memory of 7848	4664	cmd.exe	121
PID 4664 wrote to memory of 7828	4664	cmd.exe	122
PID 4664 wrote to memory of 7828	4664	cmd.exe	122
PID 4664 wrote to memory of 7944	4664	cmd.exe	123
PID 4664 wrote to memory of 7944	4664	cmd.exe	123
PID 4664 wrote to memory of 8060	4664	cmd.exe	124
PID 4664 wrote to memory of 8060	4664	cmd.exe	124
PID 4664 wrote to memory of 8104	4664	cmd.exe	125
PID 4664 wrote to memory of 8104	4664	cmd.exe	125
PID 4664 wrote to memory of 280	4664	cmd.exe	126
PID 4664 wrote to memory of 280	4664	cmd.exe	126
PID 4664 wrote to memory of 304	4664	cmd.exe	127
PID 4664 wrote to memory of 304	4664	cmd.exe	127
PID 4664 wrote to memory of 4880	4664	cmd.exe	128
PID 4664 wrote to memory of 4880	4664	cmd.exe	128
PID 4664 wrote to memory of 3012	4664	cmd.exe	129
PID 4664 wrote to memory of 3012	4664	cmd.exe	129
PID 4664 wrote to memory of 7872	4664	cmd.exe	130
PID 4664 wrote to memory of 7872	4664	cmd.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:4076
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:4932
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:7876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "AirSpaceChannel"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:8044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    PID:7876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:8040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "General"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:7604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationFrameServer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:7872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationContentProtection"
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDS"
    3⤵
    PID:2352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    PID:3520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationMP4"
    3⤵
    PID:7944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationMediaEngine"
    3⤵
    PID:8060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformanceCore"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:7872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:8008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:3480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Virtual"
    3⤵
    PID:7944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:8060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:3932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:8176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:3624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:7828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:2352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:3520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:7984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:7988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:7848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:7872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:7944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:8060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:7876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:7828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:2352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:8108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:7944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:8060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:8148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:3624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:3480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:8008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/Packaged"
    3⤵
    PID:3192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/Packaged"
    3⤵
    PID:4072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:7988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:7884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:11192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:11208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:11724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:12100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:12116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:12132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:12148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:12164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:12180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:12196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:12212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:12232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:12248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:12264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:12280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:11716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:11736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:12108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:12120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:12136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:3136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:12160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:12176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:12192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:12208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:12224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:12244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:12260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:12276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:11212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:11716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:12100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:12152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:12168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:12220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:12256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:12272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:11720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:11724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:12124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:12184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:12240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:12264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:12280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:12104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:12108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:12160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    - Clears Windows event logs
    PID:12168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    - Clears Windows event logs
    PID:12220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:12256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:12272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:11720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:11724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:12124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:12184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:12240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:12264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    - Clears Windows event logs
    PID:12280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    - Clears Windows event logs
    PID:12104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:12108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    - Clears Windows event logs
    PID:12160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:12168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:12220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:12256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:12272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/BitLocker"
    3⤵
    PID:11720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/BitLocker"
    3⤵
    PID:11732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:12124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:12184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:12216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:12260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    - Clears Windows event logs
    PID:12276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:12128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:11724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:12164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:12176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:12264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:12280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:12272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:12108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Catalog"
    3⤵
    PID:11720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:12484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:12536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:12708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:13176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:13664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:14112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:14364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:14380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:14464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:14560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:14948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:14964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:15316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:15532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:15548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:15972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:16256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:16272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:16288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:16308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:16324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:16340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:16356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:16376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:15536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:15552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:15980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:16260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:16284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:16300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:16320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:16336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:16352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:16340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:16360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:16380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    - Clears Windows event logs
    PID:15540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:15548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:15972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:16272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:16288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:16316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:12756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:16332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:16344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:16340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:16360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:16380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:15540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:15548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:15972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:16272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:16288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:3632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:2260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:16320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:16336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:16368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:15316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:15532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:16372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:16268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:16264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:16272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:16288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:15536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    - Clears Windows event logs
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:16680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:17644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:18600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:18648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:20204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:20220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:20232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:20248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:20264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:20280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:20296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:20324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:20340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:20356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:20372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:20388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:20404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:20420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:20436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:20452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:20468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:18652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:20208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:20228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:20244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:20256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:20272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:20284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:20308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:20352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:20368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:20384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:20400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:20416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:20432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:20448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:20464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:18812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:20216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:20224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:20236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:20252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:20312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:20256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:20272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:20284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:20308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:20352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    - Clears Windows event logs
    PID:20368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:20384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:24224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:24240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:24256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:24272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:24288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:28236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:28272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:28288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:28304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:28320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:28336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:32068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:32092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:32248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:32316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:32340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:32368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:32384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:32400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:32424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:32444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:36268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:40260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:44264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:44280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:44296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:44312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    - Clears Windows event logs
    PID:44328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:44344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:44360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:44376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:44392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:44408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:44424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:46012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:46216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:46572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:46588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:46700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:46712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:51688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:52152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:52168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:52184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:52200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:52216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:46712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:56152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:56316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:59276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:60168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:60184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:60200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:60216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:60232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:60248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:60264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:60280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:60296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:60312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:60328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:60344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:60360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:60376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:60392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:60408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:59280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:60172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    - Clears Windows event logs
    PID:60192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:60208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:60224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:60232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    PID:60276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:60292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:60324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:60356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:60372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:60392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    - Clears Windows event logs
    PID:60376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:60180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:58880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:60208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:60224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:60256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:60280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    PID:60296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:60312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:60328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:60344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:60360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:60268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:60380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:60400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:60412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:60408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:60176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:60188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:60204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:60192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:60172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:59280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:60220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:60244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:60252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:60232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:60288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:60272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:60300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:60320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:60340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:60308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:60328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:60376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:60344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:60196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:60192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:60172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:60224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:60208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:60264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:59276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:60392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:60280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:60292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:60324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:60340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:60352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:60256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:60372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:60396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:60228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:60304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:60316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:60288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:60304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:60516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:60684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:60916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:60932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:61168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:61152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:60700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:60532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:64176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:64192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:64208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:64228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:64244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:64264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:64284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:64300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:64316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:64332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:64348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:64364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    - Clears Windows event logs
    PID:64380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:64396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:64412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:64428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:64444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:64460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:64476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:64492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:64508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:61168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:64176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:64192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    - Clears Windows event logs
    PID:64212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:64232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:64252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    PID:64272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:64292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:64308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    - Clears Windows event logs
    PID:64324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:64340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:64352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Boot"
    3⤵
    PID:64372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:64388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:64404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Device"
    3⤵
    PID:64420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Driver"
    3⤵
    PID:64436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Driver"
    3⤵
    PID:64456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:64472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:64488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:64504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:61172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:64188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:64200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:64276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:64284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:64348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:8064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:64476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:64492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:64196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:64496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:64576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:64644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:65064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:65156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:65628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:65764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:66352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:66636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:66652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:66904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:66920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:66988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:67300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:67316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:67376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:66996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:67312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:68160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:68176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:68192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:68208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    - Clears Windows event logs
    PID:68224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:68240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:68260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:68280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:68296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:68312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:68328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    - Clears Windows event logs
    PID:68344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:68360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:68376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:68392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:68408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:68424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:68440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:68460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:68476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:68492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:68508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:68524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:68544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:68560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:68576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:68592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:67300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:68168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:68184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:68204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:68220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:68236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:68244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:68240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:68260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:68280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:68296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:68312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:68328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:68368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:68380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:68400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:68416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:68432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:68448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:68468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:68488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:68504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:68520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:68600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    PID:68208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    PID:68224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:69008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:69152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:69168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:69444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:69176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:69716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:69736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:70288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:70304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:70840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:70856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:71204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    - Clears Windows event logs
    PID:71560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    - Clears Windows event logs
    PID:71852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:72124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkStatus/Analytic"
    3⤵
    PID:72140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:72156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:72192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    - Clears Windows event logs
    PID:72208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    PID:72172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:72224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ntfs/WHC"
    3⤵
    PID:72256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:72240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    PID:72272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:72288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:72308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:72324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    PID:72356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:72376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:72340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OcpUpdateAgent/Operational"
    3⤵
    PID:72412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:72428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    PID:72396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:72444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:72460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:72476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:72492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:72508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:72524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:72556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:72572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PackageStateRoaming/Analytic"
    3⤵
    PID:72588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:72540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PackageStateRoaming/Operational"
    3⤵
    PID:72620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PackageStateRoaming/Debug"
    3⤵
    PID:72604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:72636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:72652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    PID:72668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:72688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:71572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:71864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
    3⤵
    PID:72136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:72152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
    3⤵
    PID:72168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:72172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
    3⤵
    - Clears Windows event logs
    PID:72192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
    3⤵
    PID:72208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
    3⤵
    PID:72224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:72240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
    3⤵
    PID:72256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:72276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:72296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:72316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Policy/Operational"
    3⤵
    - Clears Windows event logs
    PID:72336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:72352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:72372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:12112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:72388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:72408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:72424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:72440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:72456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:72656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:72680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:72308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:72972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:72988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:76000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:76016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:80004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:80020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    - Clears Windows event logs
    PID:80036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:80052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:80068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    PID:80084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:80104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
    3⤵
    PID:80124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    PID:80140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
    3⤵
    PID:80156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:80176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    PID:80192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:80224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:80208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    PID:80240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:80256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:80272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:80288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:80304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:80392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:80436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:80484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:80544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:80624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:80716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:80732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:1132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    PID:12212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:80492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:83960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:83944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:80492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:83960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:87968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:87988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:88004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:88016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:88816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:91988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:92004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:88828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:92184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:96000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
    3⤵
    PID:96016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
    3⤵
    PID:96032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:96048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:96488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:96668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:96876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:96972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:97352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:100000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:100016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:100036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:100052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:100072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:100088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:100104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:100120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:100136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    PID:100152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    - Clears Windows event logs
    PID:100168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:100184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:100200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    PID:100216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:100232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:100248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:100264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:100280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:100296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBDirect/Admin"
    3⤵
    PID:100312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBDirect/Debug"
    3⤵
    PID:100012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBDirect/Netmon"
    3⤵
    PID:96676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:100016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:100036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:100056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:100284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Operational"
    3⤵
    - Clears Windows event logs
    PID:100012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:102744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:102952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:104064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:108064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:108084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:108100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:108116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:108132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:108148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    PID:108164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:108180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:108196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:108212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:108228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:108248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Adminless/Operational"
    3⤵
    PID:108264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:108520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:108536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:109080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:109768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:109908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:110296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:110312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    PID:110448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Mitigations/KernelMode"
    3⤵
    PID:110752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Mitigations/UserMode"
    3⤵
    PID:111072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    PID:111656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:112068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    PID:112084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:112108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:112124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:112140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:112156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:112172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:112188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:112204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
    3⤵
    PID:112220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SendTo/Diagnostic"
    3⤵
    PID:112236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:112256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:112272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sensors/Performance"
    3⤵
    PID:112288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
    3⤵
    PID:112304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
    3⤵
    PID:112320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:112336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:112352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:112368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Servicing/Debug"
    3⤵
    PID:112384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-Azure/Debug"
    3⤵
    PID:112404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-Azure/Operational"
    3⤵
    PID:112420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
    3⤵
    PID:112436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
    3⤵
    PID:112452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
    3⤵
    PID:112468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/Analytic"
    3⤵
    PID:112484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/Debug"
    3⤵
    PID:112500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/Operational"
    3⤵
    PID:112516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/VerboseDebug"
    3⤵
    PID:112532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:112548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:112564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupPlatform/Analytic"
    3⤵
    PID:112580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:112596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:112612
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:112628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
    3⤵
    PID:111660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:112072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:112088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:112116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
    3⤵
    PID:112132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:112144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
    3⤵
    PID:112164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:112180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    PID:112196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/ActionCenter"
    3⤵
    PID:112212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/AppDefaults"
    3⤵
    PID:112232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:112248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
    3⤵
    PID:112268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Operational"
    3⤵
    PID:112284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:112300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
    3⤵
    PID:112316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
    3⤵
    PID:112332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:112348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:112364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
    3⤵
    PID:112380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
    3⤵
    PID:112396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:112416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SleepStudy/Diagnostic"
    3⤵
    PID:112432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:112448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:112464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
    3⤵
    PID:112480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
    3⤵
    PID:112496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartScreen/Debug"
    3⤵
    PID:112512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Audit"
    3⤵
    - Clears Windows event logs
    PID:112580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Connectivity"
    3⤵
    PID:112596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Diagnostic"
    3⤵
    PID:112084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:112176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:112232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:112248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:112268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spellchecking-Host/Analytic"
    3⤵
    PID:112580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SruMon/Diagnostic"
    3⤵
    PID:112676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SrumTelemetry"
    3⤵
    PID:112692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Debug"
    3⤵
    PID:112792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Diagnostic"
    3⤵
    PID:112992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Operational"
    3⤵
    PID:113104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Restricted"
    3⤵
    PID:113488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:113628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:113912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    PID:114056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:114432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Debug"
    3⤵
    PID:114448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
    3⤵
    PID:114660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Operational"
    3⤵
    PID:114676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:114776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:114984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Debug"
    3⤵
    PID:115112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
    3⤵
    PID:115792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Operational"
    3⤵
    PID:115808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Admin"
    3⤵
    PID:116056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Analytic"
    3⤵
    PID:116072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    PID:116144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Diagnose"
    3⤵
    PID:116160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Operational"
    3⤵
    - Clears Windows event logs
    PID:116176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Admin"
    3⤵
    PID:116192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    PID:116208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Debug"
    3⤵
    PID:116224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Diagnose"
    3⤵
    - Clears Windows event logs
    PID:116240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Health"
    3⤵
    PID:116256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Operational"
    3⤵
    PID:116272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
    3⤵
    PID:116288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Tiering/Admin"
    3⤵
    PID:116304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageManagement/Debug"
    3⤵
    PID:116324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageManagement/Operational"
    3⤵
    PID:116340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSettings/Diagnostic"
    3⤵
    PID:116356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
    3⤵
    PID:116372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
    3⤵
    PID:116392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
    3⤵
    PID:116408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:116424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
    3⤵
    PID:116440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
    3⤵
    PID:116456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Store/Operational"
    3⤵
    PID:116472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storsvc/Diagnostic"
    3⤵
    PID:116488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:116504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:116520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:116536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/PfApLog"
    3⤵
    PID:116552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:116568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysmon/Operational"
    3⤵
    PID:116584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:116600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
    3⤵
    PID:116616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
    3⤵
    PID:116632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
    3⤵
    PID:116652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
    3⤵
    PID:116668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
    3⤵
    PID:116684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:116700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Operational"
    3⤵
    PID:116724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:115804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:115820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:116068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:116084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TTS/Diagnostic"
    3⤵
    PID:116156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TWinAPI/Diagnostic"
    3⤵
    PID:116172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TWinUI/Diagnostic"
    3⤵
    PID:116188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TWinUI/Operational"
    3⤵
    PID:113008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZSync/Analytic"
    3⤵
    PID:116192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZSync/Operational"
    3⤵
    PID:116208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:116224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:116240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:116256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Maintenance"
    3⤵
    PID:116272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:116288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:116304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:116324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:116340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:116356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:116376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:116480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:116536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:116648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:116632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:116716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:115112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:116660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:116800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:116816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Admin"
    3⤵
    PID:117016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
    3⤵
    PID:117428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Debug"
    3⤵
    PID:117444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Operational"
    3⤵
    PID:117648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:117808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:118076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:118416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:118696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:118800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:119008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    - Clears Windows event logs
    PID:119136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:119332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:119376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:119928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:120120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:120136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:120152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Tethering-Manager/Analytic"
    3⤵
    PID:120168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Tethering-Station/Analytic"
    3⤵
    PID:120188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:120204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:120220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Threat-Intelligence/Analytic"
    3⤵
    PID:120236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
    3⤵
    PID:120252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Time-Service/Operational"
    3⤵
    PID:120268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
    3⤵
    PID:120284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
    3⤵
    PID:120300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:120316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:120332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:120348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UI-Shell/Diagnostic"
    3⤵
    PID:120364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:120380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:120396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:120412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:120428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:120444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
    3⤵
    PID:120460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-UCX-Analytic"
    3⤵
    PID:120476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:120492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB3-Analytic"
    3⤵
    PID:120508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:120524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBXHCI-Analytic"
    3⤵
    PID:120540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
    3⤵
    PID:120556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
    3⤵
    PID:120572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    - Clears Windows event logs
    PID:120636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:120704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:120720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Operational"
    3⤵
    PID:120736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserAccountControl/Diagnostic"
    3⤵
    PID:120752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:120768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/ActionCenter"
    3⤵
    PID:120784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceInstall"
    3⤵
    PID:120800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:120820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:119376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:119928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxInit/Diagnostic"
    3⤵
    PID:120120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:120136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:120152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:120168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP-Analytic"
    3⤵
    PID:120188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP-Operational"
    3⤵
    PID:120204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VIRTDISK-Analytic"
    3⤵
    PID:120220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VPN-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:120236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VPN/Operational"
    3⤵
    PID:120252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:120268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
    3⤵
    PID:120284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
    3⤵
    PID:120300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Volume/Diagnostic"
    3⤵
    PID:120316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:120332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
    3⤵
    PID:120348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:120364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:120408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:120424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCNWiz/Analytic"
    3⤵
    PID:120440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WEPHOSTSVC/Operational"
    3⤵
    PID:120508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WER-PayloadHealth/Operational"
    3⤵
    PID:120528
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:120672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:120692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:120736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:120176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Driver/Analytic"
    3⤵
    PID:120424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
    3⤵
    PID:120440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:120436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Debug"
    3⤵
    PID:120532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Operational"
    3⤵
    PID:121008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:121116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:121172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:121304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:121656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Operational"
    3⤵
    PID:121672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:121876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-API/Analytic"
    3⤵
    - Clears Windows event logs
    PID:122100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:122380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    - Clears Windows event logs
    PID:122516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:122704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:122764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPBT/Analytic"
    3⤵
    PID:123008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
    3⤵
    PID:123136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:123316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPIP/Analytic"
    3⤵
    PID:123532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPUS/Analytic"
    3⤵
    PID:123552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:123136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\res\st

Filesize
14B

MD5
f4bfd795a8c2874236f751664437aec0

SHA1
cf985b4afeb3743128020a72868683cbb2673064

SHA256
6457e01a13a6b6319578322a1c67b19e82054474108f5bbebc9805068bfb8b81

SHA512
4268acdc55c4f6119bd0935858b9f3ca6e9163a2898c52dccdd261091f052bb80a3bebb09c7cadbe84a05c70f3fd3cc8a9adeb41c6663ebbc824e79834cab55e

Download Submit
F:\Ranger3X\1548100752o

Filesize
2KB

MD5
8475070a5ee4f0487884f36cd3c2df48

SHA1
2420030de15d8f92bc36d64b01362a7370c7b486

SHA256
68824ee4d4010f6d461f2262009684b65a00f961376d7014addaab92aff0eeee

SHA512
dbd3d561c2f53192771e85136a0eff35118de56bd7d76d45e48138071eaa5131f8820616eabfc278103b5a13e8bf91b922b2577be8b3f417854a9407b93a9b0d

Download Submit
F:\Ranger3X\1548100752o

Filesize
4KB

MD5
130f5ae99a80d77f520731d9278ddd4b

SHA1
04b9718f1065d2a9d967eed1523d3e238e5c93e9

SHA256
0cf2f9daa146f63c7ab8b9814079ce921ea7c050aa3408799102432969e8adb7

SHA512
8c0fbec651c8b9a6913a8fe827b949ee031da61aef62c2473bbfa139372da920ea784b98349c0e6979f09ab23f51dcef68043eeb64151a4edd6d1350b7455755

Download Submit
F:\Ranger3X\94353736296s

Filesize
2KB

MD5
78aee74219d692b16026bd1360b31b69

SHA1
9f1fedc5f244623f73217b4ddf4d118aa2c69f16

SHA256
3b400a34f7d26889e05c05be68c3f55adf6503007888262c2dd4b5f7d7f2d0cc

SHA512
63f7792a1b419f4ce728dff4d31fcf47d0e9e39e8c385f5e66677d69912a166b6873eed23223264b6df3b6bc68da3749a4c7f9fa4f8a8083c1c6e4ac271b1828

Download Submit
\??\c:\programdata\res\hds

Filesize
20B

MD5
d30ff6872d2ba73b665390730f19c30c

SHA1
f5a1813bdc699ad4c625e62bf6745f7f2efd72ae

SHA256
f91d82a6bb4832c7f2f76d81fe60ee78b8340bf513418ebc26319bbaeabde4e2

SHA512
feba18e7d59cb8ebe71aba3e8e2882a66f1c78aa92b37e0a175927216de7a0daa5bb70c716d86992525ccab49bdef800334d45bd3ead77f971bfe6b5e75fd962

Download Submit
\??\c:\users\admin\appdata\local\temp\mscore.dll

Filesize
558B

MD5
e318cf9c4ab50ca78db0f4de0fa6f151

SHA1
02f9ecc977d65a24c462bede7cb8212257fe1cca

SHA256
1a6178a628a7cfb02b7957840d3aa8dc0787140eacd8da23041a737ec249e00d

SHA512
54285b3422055a7c09cfd67e58853e262f7cb31fb3c6af4f8511c8f808f70d05c203715a6c4304cb2b284eee16461e7f8cdd023c641ba6c1bb09bbbfcfd4bfc5

Download Submit
\??\c:\windows\logg.bat

Filesize
50B

MD5
837f9483a4d9fb834d75537beb1c9488

SHA1
7421df5e92fbd2ef04eac5ede4397e4b87a3b7c2

SHA256
ec64e2a730d0e32ff61a98f34ffdda69ea172234f8f432b95766e38c0f898e2d

SHA512
37aa585177f560cd8d7b60303e820a7fa08f1a73d5fb79a6bae1f2c14e11d0f2d573059eb4e5c4bccb5021b336531d1eb3076a357b75a02c56570585a271cc69

Download Submit