ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21/01/2024, 14:52

240121-r8syqaeac7 10

21/01/2024, 14:51

240121-r8k8waeac5 10

01/01/2024, 13:55

240101-q776kscacp 10

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21/01/2024, 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

1e56e3201f99af1f63c3b95b6d05d64f
SHA1

f5d32ac198ed52ded940ff5fffb1f513bb2b607f
SHA256

b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
SHA512

36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
SSDEEP

24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

Score

9^/10

discovery evasion persistence ransomware spyware stealer

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
29856	wevtutil.exe
30088	wevtutil.exe
30028	wevtutil.exe
10696	wevtutil.exe
9244	wevtutil.exe
17740	wevtutil.exe
17788	wevtutil.exe
21792	wevtutil.exe
26240	wevtutil.exe
34412	wevtutil.exe
37168	wevtutil.exe
18364	wevtutil.exe
22220	wevtutil.exe
25912	wevtutil.exe
26152	wevtutil.exe
29808	wevtutil.exe
13892	wevtutil.exe
34240	wevtutil.exe
38176	wevtutil.exe
6032	wevtutil.exe
38024	wevtutil.exe
41676	wevtutil.exe
6152	wevtutil.exe
23852	wevtutil.exe
37856	wevtutil.exe
37868	wevtutil.exe
37884	wevtutil.exe
37868	wevtutil.exe
14136	wevtutil.exe
21984	wevtutil.exe
10756	wevtutil.exe
9872	wevtutil.exe
13712	wevtutil.exe
13796	wevtutil.exe
30064	wevtutil.exe
37876	wevtutil.exe
14244	wevtutil.exe
14160	wevtutil.exe
14184	wevtutil.exe
17824	wevtutil.exe
10956	wevtutil.exe
19916	wevtutil.exe
21596	wevtutil.exe
29844	wevtutil.exe
34424	wevtutil.exe
37880	wevtutil.exe
37880	wevtutil.exe
5776	wevtutil.exe
5644	wevtutil.exe
17908	wevtutil.exe
26080	wevtutil.exe
37860	wevtutil.exe
25836	wevtutil.exe
25816	wevtutil.exe
34088	wevtutil.exe
17676	wevtutil.exe
18212	wevtutil.exe
26008	wevtutil.exe
34448	wevtutil.exe
5772	wevtutil.exe
13868	wevtutil.exe
36504	wevtutil.exe
41228	wevtutil.exe
15020	wevtutil.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\f:\$RECYCLE.BIN\S-1-5-21-3427588347-1492276948-3422228430-1000\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\f:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	svchost.exe
File opened for modification	\??\c:\windows\logg.bat	svchost.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
133084	sc.exe
2796	sc.exe
2316	sc.exe
1872	sc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1948	vssadmin.exe
2552	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2336	svchost.exe
2336	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe
2556	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2336	svchost.exe
Token: SeRestorePrivilege	2336	svchost.exe
Token: SeBackupPrivilege	2336	svchost.exe
Token: SeTakeOwnershipPrivilege	2336	svchost.exe
Token: SeBackupPrivilege	2336	svchost.exe
Token: SeAuditPrivilege	2336	svchost.exe
Token: SeSecurityPrivilege	2336	svchost.exe
Token: SeSecurityPrivilege	5592	wevtutil.exe
Token: SeBackupPrivilege	5592	wevtutil.exe
Token: SeSecurityPrivilege	5624	wevtutil.exe
Token: SeBackupPrivilege	5624	wevtutil.exe
Token: SeBackupPrivilege	5600	vssvc.exe
Token: SeRestorePrivilege	5600	vssvc.exe
Token: SeAuditPrivilege	5600	vssvc.exe
Token: SeSecurityPrivilege	5644	wevtutil.exe
Token: SeBackupPrivilege	5644	wevtutil.exe
Token: SeSecurityPrivilege	5692	wevtutil.exe
Token: SeBackupPrivilege	5692	wevtutil.exe
Token: SeSecurityPrivilege	5712	wevtutil.exe
Token: SeBackupPrivilege	5712	wevtutil.exe
Token: SeSecurityPrivilege	5732	wevtutil.exe
Token: SeBackupPrivilege	5732	wevtutil.exe
Token: SeSecurityPrivilege	5744	wevtutil.exe
Token: SeBackupPrivilege	5744	wevtutil.exe
Token: SeSecurityPrivilege	5760	wevtutil.exe
Token: SeBackupPrivilege	5760	wevtutil.exe
Token: SeSecurityPrivilege	5772	wevtutil.exe
Token: SeBackupPrivilege	5772	wevtutil.exe
Token: SeSecurityPrivilege	5784	wevtutil.exe
Token: SeBackupPrivilege	5784	wevtutil.exe
Token: SeSecurityPrivilege	5796	wevtutil.exe
Token: SeBackupPrivilege	5796	wevtutil.exe
Token: SeSecurityPrivilege	5812	wevtutil.exe
Token: SeBackupPrivilege	5812	wevtutil.exe
Token: SeSecurityPrivilege	5840	wevtutil.exe
Token: SeBackupPrivilege	5840	wevtutil.exe
Token: SeSecurityPrivilege	5856	wevtutil.exe
Token: SeBackupPrivilege	5856	wevtutil.exe
Token: SeSecurityPrivilege	5872	wevtutil.exe
Token: SeBackupPrivilege	5872	wevtutil.exe
Token: SeSecurityPrivilege	5884	wevtutil.exe
Token: SeBackupPrivilege	5884	wevtutil.exe
Token: SeSecurityPrivilege	5896	wevtutil.exe
Token: SeBackupPrivilege	5896	wevtutil.exe
Token: SeSecurityPrivilege	5916	wevtutil.exe
Token: SeBackupPrivilege	5916	wevtutil.exe
Token: SeSecurityPrivilege	5928	wevtutil.exe
Token: SeBackupPrivilege	5928	wevtutil.exe
Token: SeSecurityPrivilege	5944	wevtutil.exe
Token: SeBackupPrivilege	5944	wevtutil.exe
Token: SeSecurityPrivilege	5956	wevtutil.exe
Token: SeBackupPrivilege	5956	wevtutil.exe
Token: SeSecurityPrivilege	5972	wevtutil.exe
Token: SeBackupPrivilege	5972	wevtutil.exe
Token: SeSecurityPrivilege	5988	wevtutil.exe
Token: SeBackupPrivilege	5988	wevtutil.exe
Token: SeSecurityPrivilege	6000	wevtutil.exe
Token: SeBackupPrivilege	6000	wevtutil.exe
Token: SeSecurityPrivilege	6016	wevtutil.exe
Token: SeBackupPrivilege	6016	wevtutil.exe
Token: SeSecurityPrivilege	6032	wevtutil.exe
Token: SeBackupPrivilege	6032	wevtutil.exe
Token: SeSecurityPrivilege	6044	wevtutil.exe
Token: SeBackupPrivilege	6044	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 1872	2336	svchost.exe	29
PID 2336 wrote to memory of 1872	2336	svchost.exe	29
PID 2336 wrote to memory of 1872	2336	svchost.exe	29
PID 2336 wrote to memory of 2160	2336	svchost.exe	31
PID 2336 wrote to memory of 2160	2336	svchost.exe	31
PID 2336 wrote to memory of 2160	2336	svchost.exe	31
PID 2336 wrote to memory of 1948	2336	svchost.exe	32
PID 2336 wrote to memory of 1948	2336	svchost.exe	32
PID 2336 wrote to memory of 1948	2336	svchost.exe	32
PID 2160 wrote to memory of 5568	2160	cmd.exe	35
PID 2160 wrote to memory of 5568	2160	cmd.exe	35
PID 2160 wrote to memory of 5568	2160	cmd.exe	35
PID 5568 wrote to memory of 5592	5568	cmd.exe	36
PID 5568 wrote to memory of 5592	5568	cmd.exe	36
PID 5568 wrote to memory of 5592	5568	cmd.exe	36
PID 2160 wrote to memory of 5624	2160	cmd.exe	38
PID 2160 wrote to memory of 5624	2160	cmd.exe	38
PID 2160 wrote to memory of 5624	2160	cmd.exe	38
PID 2160 wrote to memory of 5644	2160	cmd.exe	39
PID 2160 wrote to memory of 5644	2160	cmd.exe	39
PID 2160 wrote to memory of 5644	2160	cmd.exe	39
PID 2160 wrote to memory of 5692	2160	cmd.exe	41
PID 2160 wrote to memory of 5692	2160	cmd.exe	41
PID 2160 wrote to memory of 5692	2160	cmd.exe	41
PID 2160 wrote to memory of 5712	2160	cmd.exe	42
PID 2160 wrote to memory of 5712	2160	cmd.exe	42
PID 2160 wrote to memory of 5712	2160	cmd.exe	42
PID 2160 wrote to memory of 5732	2160	cmd.exe	43
PID 2160 wrote to memory of 5732	2160	cmd.exe	43
PID 2160 wrote to memory of 5732	2160	cmd.exe	43
PID 2160 wrote to memory of 5744	2160	cmd.exe	44
PID 2160 wrote to memory of 5744	2160	cmd.exe	44
PID 2160 wrote to memory of 5744	2160	cmd.exe	44
PID 2160 wrote to memory of 5760	2160	cmd.exe	45
PID 2160 wrote to memory of 5760	2160	cmd.exe	45
PID 2160 wrote to memory of 5760	2160	cmd.exe	45
PID 2160 wrote to memory of 5772	2160	cmd.exe	46
PID 2160 wrote to memory of 5772	2160	cmd.exe	46
PID 2160 wrote to memory of 5772	2160	cmd.exe	46
PID 2160 wrote to memory of 5784	2160	cmd.exe	47
PID 2160 wrote to memory of 5784	2160	cmd.exe	47
PID 2160 wrote to memory of 5784	2160	cmd.exe	47
PID 2160 wrote to memory of 5796	2160	cmd.exe	48
PID 2160 wrote to memory of 5796	2160	cmd.exe	48
PID 2160 wrote to memory of 5796	2160	cmd.exe	48
PID 2160 wrote to memory of 5812	2160	cmd.exe	49
PID 2160 wrote to memory of 5812	2160	cmd.exe	49
PID 2160 wrote to memory of 5812	2160	cmd.exe	49
PID 2160 wrote to memory of 5840	2160	cmd.exe	50
PID 2160 wrote to memory of 5840	2160	cmd.exe	50
PID 2160 wrote to memory of 5840	2160	cmd.exe	50
PID 2160 wrote to memory of 5856	2160	cmd.exe	51
PID 2160 wrote to memory of 5856	2160	cmd.exe	51
PID 2160 wrote to memory of 5856	2160	cmd.exe	51
PID 2160 wrote to memory of 5872	2160	cmd.exe	52
PID 2160 wrote to memory of 5872	2160	cmd.exe	52
PID 2160 wrote to memory of 5872	2160	cmd.exe	52
PID 2160 wrote to memory of 5884	2160	cmd.exe	53
PID 2160 wrote to memory of 5884	2160	cmd.exe	53
PID 2160 wrote to memory of 5884	2160	cmd.exe	53
PID 2160 wrote to memory of 5896	2160	cmd.exe	54
PID 2160 wrote to memory of 5896	2160	cmd.exe	54
PID 2160 wrote to memory of 5896	2160	cmd.exe	54
PID 2160 wrote to memory of 5916	2160	cmd.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:1872
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Media"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:6596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Clears Windows event logs
    PID:9244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:9700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:9716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:9732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:9748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:9764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:9776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:9788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:9808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:9820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:9832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:9848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:9860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    - Clears Windows event logs
    PID:9872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:9888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:9904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:9916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:9932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:9944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:9956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:9968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:9984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    - Clears Windows event logs
    PID:13712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:13724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:13736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:13752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:13764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:13780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    - Clears Windows event logs
    PID:13796
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:13808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:13820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:13832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:13844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:13856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    - Clears Windows event logs
    PID:13868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:13880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    - Clears Windows event logs
    PID:13892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:13904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:13916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:13928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:13940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:13952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:13964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:13976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:13988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:14000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:14012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:14028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:14040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:14052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:14064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:14076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:14088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:14100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:14112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:14124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:14136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:14148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    - Clears Windows event logs
    PID:14160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:14172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    - Clears Windows event logs
    PID:14184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:14196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:14208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:14220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:14232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    - Clears Windows event logs
    PID:14244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:14256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:14268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:14280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:14292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:14304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:13972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:14112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:14144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:14416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:17064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:17664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    - Clears Windows event logs
    PID:17676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:17688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:17700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:17712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:17724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    - Clears Windows event logs
    PID:17740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:17752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:17764
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:17776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    - Clears Windows event logs
    PID:17788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:17800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:17812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    - Clears Windows event logs
    PID:17824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:17836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:17848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:17860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:17872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:17884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:17896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    - Clears Windows event logs
    PID:17908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:17920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:17932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:17944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:17956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:17972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:17984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:17996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:18008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:18020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:18032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:18044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:18056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:18068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:18092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:18112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:18140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:18160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:18200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    - Clears Windows event logs
    PID:18212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:18224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:18236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:18252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:18264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:18276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:18288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:18300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:18312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:18324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:18336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:18348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    - Clears Windows event logs
    PID:18364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:18376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:18388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:18408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:17932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:17944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:18092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:18228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:18320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:18408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:19488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    - Clears Windows event logs
    PID:19916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    - Clears Windows event logs
    PID:21596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:21752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:21768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    PID:21780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    - Clears Windows event logs
    PID:21792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:21804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:21816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:21828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:21840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:21852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:21864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:21876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:21888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:21900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:21912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:21924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:21936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:21948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:21960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:21972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    - Clears Windows event logs
    PID:21984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:22000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:22012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:22024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:22036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:22048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:22060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:22072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:22084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:22096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:22108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:22120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:22132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:22144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:22160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:22172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:22184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:22196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:22208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:22220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:22232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:22344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:22488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:21792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:21928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:22008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:22016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:22176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:23272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:23852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:24028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:24440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:25776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:25788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:25800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:25812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:25824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:25836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:25848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:25860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:25872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:25884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:25900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:25912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:25924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:25936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:25948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:25960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:25972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:25984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:25996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    - Clears Windows event logs
    PID:26008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:26020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:26032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:26044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:26056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:26068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:26080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:26092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:26104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:26116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:26128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:26140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    - Clears Windows event logs
    PID:26152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:26164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:26176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:26192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:26204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:26216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:26228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    - Clears Windows event logs
    PID:26240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:26252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:26264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:26276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:26288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:26300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:26312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:26324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:26336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:26524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    - Clears Windows event logs
    PID:25816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:25956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:26008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    - Clears Windows event logs
    PID:26080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:26228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:27396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:27988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:28460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:29808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:29820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:29832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:29844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:29856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:29868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:29880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:29892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:29904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:29920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:29932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:29944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:29956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:29968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:29980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:29992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:30004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:30016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:30028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:30040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:30052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:30064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:30076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    - Clears Windows event logs
    PID:30088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:30100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:30112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:30124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:30136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:30148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:30160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:30172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:30184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:30200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:30212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:30224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:30236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:30248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:30260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:30272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:30284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:30296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:30308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:30320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:30332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:30344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:30356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:30368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:30380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:30392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:30404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:30416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:30512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:29808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:29852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:30028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:30040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:30124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:30864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:31560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:32060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:32628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:33820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:33832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:33844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:33856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:33868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:33880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:33892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:33904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:33920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:33932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:33944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:33956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:33968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:33980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:33992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:34004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:34016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:34028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:34040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:34052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:34064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:34076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    - Clears Windows event logs
    PID:34088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:34104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:34116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:34128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:34140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:34152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:34164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:34180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:34192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:34204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:34216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:34228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    - Clears Windows event logs
    PID:34240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:34252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:34264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:34276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:34288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:34300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:34316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:34328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:34340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:34352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:34364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:34376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:34388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:34400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    - Clears Windows event logs
    PID:34412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    - Clears Windows event logs
    PID:34424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:34436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:34452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:34464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:34652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:34804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:33188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:33996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:34076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:34912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:35668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:36092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:36504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:37168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:37856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:37868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:37880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    - Clears Windows event logs
    PID:36504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:37172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:37864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:37872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:37884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:37852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:37168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:37856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:36700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:37880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:36504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:37172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:37864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:37872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:37860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:37876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:37868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:34448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:37884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:37880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:37852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:37168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:37856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:37872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:37860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:37876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:37868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:34448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:37884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    - Clears Windows event logs
    PID:37880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:37852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:37168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:37856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:37872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:37860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:37876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:37868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:34448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:37884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:37880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:37852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:37168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:37856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:37872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:36504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:37876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    - Clears Windows event logs
    PID:37868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    - Clears Windows event logs
    PID:38024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:38176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:38364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:38376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:38464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:38532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:39120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:40512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:40768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:41228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:41876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:41888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:41900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Windows"
    3⤵
    PID:41912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:41924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:41936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:41948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:41960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:41972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:40776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:41676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:41884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:41896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:41908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:41916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:41928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:41940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:41952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:41964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:41976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:40768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:41228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:41876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:41888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:41920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "OAlerts"
    3⤵
    PID:41932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Security"
    3⤵
    PID:41944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Setup"
    3⤵
    PID:41936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "System"
    3⤵
    PID:41968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:41236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:41972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:40772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:41676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSetup"
    3⤵
    PID:41884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "WMPSyncEngine"
    3⤵
    PID:41896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Windows"
    3⤵
    PID:41908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:41912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "muxencode"
    3⤵
    PID:41924
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1948
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" delete defser
  2⤵
  - Launches sc.exe
  PID:133084
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:2796
- \??\c:\windows\system32\sc.exe
  "c:\windows\system32\sc.exe" start defser
  2⤵
  - Launches sc.exe
  PID:2316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2556
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    PID:3568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      PID:3588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Clears Windows event logs
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    PID:5784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DebugChannel"
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    PID:5752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    PID:5884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    PID:5932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    PID:5952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    PID:5960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    PID:5992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    PID:6004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:6000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Media"
    3⤵
    PID:6016
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    PID:6032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    - Clears Windows event logs
    PID:6152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    PID:6164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    PID:6176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:6188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:6204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:6216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:6228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:6240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:6252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:6264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:6276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:6352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:6424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:6436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:6448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:6460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:6472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:6484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:7092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:8308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:10560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:10608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:10620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:10632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:10644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:10656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:10668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:10680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    - Clears Windows event logs
    PID:10696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:10708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:10720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:10732
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:10744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    - Clears Windows event logs
    PID:10756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:10768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:10800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:10864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:10876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:10888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:10912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:10924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:10944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:10956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:10968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:10988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:11000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:11592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:14920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:14936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    - Clears Windows event logs
    PID:15020
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:15032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:15052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:15064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:15076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:15088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:15104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:15116
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\res\st

Filesize
14B

MD5
f4bfd795a8c2874236f751664437aec0

SHA1
cf985b4afeb3743128020a72868683cbb2673064

SHA256
6457e01a13a6b6319578322a1c67b19e82054474108f5bbebc9805068bfb8b81

SHA512
4268acdc55c4f6119bd0935858b9f3ca6e9163a2898c52dccdd261091f052bb80a3bebb09c7cadbe84a05c70f3fd3cc8a9adeb41c6663ebbc824e79834cab55e

Download Submit
F:\Ranger3X\20990528228o

Filesize
2KB

MD5
035798eefdc9bcdc3c9e72fe903a979b

SHA1
6871affbc19f0df33d5dc2f07e5fef8a1040fd85

SHA256
a590b5606185b0a7e93b69a483900b207ccdc8ec9824589bded78446c3af19e0

SHA512
18af8d25863bfd65cf96c2866737db8779b8ac2f6fb272817101acb71bba212d1039546b6a2dc55154520d8bb8e794aef609d74ed1a4d1b11d92f16e2544667b

Download Submit
F:\Ranger3X\20990528228o

Filesize
4KB

MD5
7a24d7d9e9444ba03366ac4d5e5b48a9

SHA1
7bbb25a8fcfe2fccd5aaa9fb4271c0f2330c9a81

SHA256
b44df1aa3807d34e3ba9376e9501ea823f46a7b7287f2f77f6e0f640e6e4b141

SHA512
a91c1de87d7113f99d89f130f57c1e030c29d51493df8460261a03d63c5e53d5ca581c200c2b8f1cba26aa1f4b90d075c139fd7cd5932b27c7228db8ae7a8ea5

Download Submit
F:\Ranger3X\57915896553s

Filesize
2KB

MD5
f0cea16c539bbc7f7355f8919f50c45e

SHA1
a289ea9cb2f90a695880eabd5c2e748e3a779fc3

SHA256
ebba8fc4930c85cd8fe5ccf64d403d32cd245157a190a3806970d9fd76db37ee

SHA512
32784c348565130d4f43ecf2966599cf3b925dad79b887c23e3db7b7c9e4708e58f199be79d5c368d18359ab065af7e3ed4a3d0cf3db442e0a107d04fc8b8c99

Download Submit
\??\c:\programdata\res\hds

Filesize
20B

MD5
dcd885d5d0b9ca55d157ef3f42e9f50d

SHA1
ddc0f2337d1c61b8ecc66dc9cbe02d4da4345f42

SHA256
87ac6c65d89be0b01b99cb79ffc4fa91a71ff28a46b8c41876c93b314e064f93

SHA512
e300adcf0c46e82997d1cbd0b9d7a5b939f323a4e3d31212d5c23b14eac891d664faa4ccd62a5b6a4c328067550cabde95508fde45e151a41dce1547dadcd85f

Download Submit
\??\c:\users\admin\appdata\local\temp\mscore.dll

Filesize
558B

MD5
669f74c1ecdd71b11da5bad2bf4ad47d

SHA1
df7b4ba70b4a92a4f60baafa51b77158f7bc9a09

SHA256
5f13d4910dc1fb1764a78472b1c612de61a7878859fa757768b6bdeb67756059

SHA512
7ee47200ba1a5f471f1ceb8265d6104d7c317f8e249e84db9ebb4a221ef082f9fd7bbf946cf875ff9c6f5430ac54dba03405ad790f1433a7461de8c890520f93

Download Submit
\??\c:\windows\logg.bat

Filesize
50B

MD5
837f9483a4d9fb834d75537beb1c9488

SHA1
7421df5e92fbd2ef04eac5ede4397e4b87a3b7c2

SHA256
ec64e2a730d0e32ff61a98f34ffdda69ea172234f8f432b95766e38c0f898e2d

SHA512
37aa585177f560cd8d7b60303e820a7fa08f1a73d5fb79a6bae1f2c14e11d0f2d573059eb4e5c4bccb5021b336531d1eb3076a357b75a02c56570585a271cc69

Download Submit