ee65e9d7a7bc9d17e894e0b775fc0bbfb35e72c65c3d768e34bfe059d521cc16

Resubmissions

21-01-2024 14:52

240121-r8syqaeac7 10

21-01-2024 14:51

240121-r8k8waeac5 10

01-01-2024 13:55

240101-q776kscacp 10

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe
Size

1.4MB
MD5

1e56e3201f99af1f63c3b95b6d05d64f
SHA1

f5d32ac198ed52ded940ff5fffb1f513bb2b607f
SHA256

b8e40563f749016a1557ea461198661f501eadddba50d6528ffe4e9c52664666
SHA512

36b77e56cf6d5c07a6a62cb5ff21e3316db2a70d4c285649cdc48d6403b8eb27c8c01b483f9bff135e92ea66e203871e783231f4938af1202e51389006c13f83
SSDEEP

24576:Wmchf1ZHB7TZqSsulRicD2fdxs1isw/c169CDX/S6o1JLax:WVfvDqSsu2cAdxvvE0ADS

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
7856	wevtutil.exe
23920	wevtutil.exe
65204	wevtutil.exe
76444	Process not Found
21848	wevtutil.exe
80412	Process not Found
12504	Process not Found
36416	wevtutil.exe
36564	wevtutil.exe
40716	wevtutil.exe
45028	wevtutil.exe
7976	wevtutil.exe
48428	wevtutil.exe
76484	Process not Found
77940	Process not Found
36332	wevtutil.exe
48988	wevtutil.exe
56304	wevtutil.exe
76596	Process not Found
45084	wevtutil.exe
60316	wevtutil.exe
76240	wevtutil.exe
9180	wevtutil.exe
15944	wevtutil.exe
40700	wevtutil.exe
56424	wevtutil.exe
76332	Process not Found
80248	Process not Found
13016	Process not Found
24148	wevtutil.exe
28184	wevtutil.exe
76288	wevtutil.exe
76344	Process not Found
16092	wevtutil.exe
54952	wevtutil.exe
76272	wevtutil.exe
7964	wevtutil.exe
60376	wevtutil.exe
68268	wevtutil.exe
16140	wevtutil.exe
32360	wevtutil.exe
55872	wevtutil.exe
68600	wevtutil.exe
80428	Process not Found
12804	Process not Found
12988	Process not Found
36616	wevtutil.exe
36752	wevtutil.exe
54084	wevtutil.exe
56288	wevtutil.exe
56092	wevtutil.exe
68900	wevtutil.exe
70980	wevtutil.exe
76196	Process not Found
56096	wevtutil.exe
69432	wevtutil.exe
76548	Process not Found
76612	Process not Found
8164	wevtutil.exe
40328	wevtutil.exe
44236	wevtutil.exe
44304	wevtutil.exe
80280	Process not Found
12752	Process not Found

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\f:	svchost.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\logg.bat	svchost.exe
File opened for modification	\??\c:\windows\logg.bat	Process not Found

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4568	sc.exe
135084	Process not Found
135136	Process not Found
1512	Process not Found

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Process not Found
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Process not Found

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1944	vssadmin.exe
4744	Process not Found

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3496	svchost.exe
3496	svchost.exe
1280	Process not Found
1280	Process not Found
1280	Process not Found
1280	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3496	svchost.exe
Token: SeRestorePrivilege	3496	svchost.exe
Token: SeBackupPrivilege	3496	svchost.exe
Token: SeTakeOwnershipPrivilege	3496	svchost.exe
Token: SeBackupPrivilege	3496	svchost.exe
Token: SeAuditPrivilege	3496	svchost.exe
Token: SeSecurityPrivilege	3496	svchost.exe
Token: SeSecurityPrivilege	7784	wevtutil.exe
Token: SeBackupPrivilege	7784	wevtutil.exe
Token: SeSecurityPrivilege	7812	wevtutil.exe
Token: SeBackupPrivilege	7812	wevtutil.exe
Token: SeSecurityPrivilege	7828	wevtutil.exe
Token: SeBackupPrivilege	7828	wevtutil.exe
Token: SeSecurityPrivilege	7844	wevtutil.exe
Token: SeBackupPrivilege	7844	wevtutil.exe
Token: SeSecurityPrivilege	7864	wevtutil.exe
Token: SeBackupPrivilege	7864	wevtutil.exe
Token: SeBackupPrivilege	7804	vssvc.exe
Token: SeRestorePrivilege	7804	vssvc.exe
Token: SeAuditPrivilege	7804	vssvc.exe
Token: SeSecurityPrivilege	7928	wevtutil.exe
Token: SeBackupPrivilege	7928	wevtutil.exe
Token: SeSecurityPrivilege	7976	wevtutil.exe
Token: SeBackupPrivilege	7976	wevtutil.exe
Token: SeSecurityPrivilege	8104	wevtutil.exe
Token: SeBackupPrivilege	8104	wevtutil.exe
Token: SeSecurityPrivilege	8120	wevtutil.exe
Token: SeBackupPrivilege	8120	wevtutil.exe
Token: SeSecurityPrivilege	8140	wevtutil.exe
Token: SeBackupPrivilege	8140	wevtutil.exe
Token: SeSecurityPrivilege	8168	wevtutil.exe
Token: SeBackupPrivilege	8168	wevtutil.exe
Token: SeSecurityPrivilege	8184	wevtutil.exe
Token: SeBackupPrivilege	8184	wevtutil.exe
Token: SeSecurityPrivilege	1708	wevtutil.exe
Token: SeBackupPrivilege	1708	wevtutil.exe
Token: SeSecurityPrivilege	7824	wevtutil.exe
Token: SeBackupPrivilege	7824	wevtutil.exe
Token: SeSecurityPrivilege	7848	wevtutil.exe
Token: SeBackupPrivilege	7848	wevtutil.exe
Token: SeSecurityPrivilege	3192	wevtutil.exe
Token: SeBackupPrivilege	3192	wevtutil.exe
Token: SeSecurityPrivilege	7952	wevtutil.exe
Token: SeBackupPrivilege	7952	wevtutil.exe
Token: SeSecurityPrivilege	8092	wevtutil.exe
Token: SeBackupPrivilege	8092	wevtutil.exe
Token: SeSecurityPrivilege	8112	wevtutil.exe
Token: SeBackupPrivilege	8112	wevtutil.exe
Token: SeSecurityPrivilege	8120	wevtutil.exe
Token: SeBackupPrivilege	8120	wevtutil.exe
Token: SeSecurityPrivilege	8172	wevtutil.exe
Token: SeBackupPrivilege	8172	wevtutil.exe
Token: SeSecurityPrivilege	8188	wevtutil.exe
Token: SeBackupPrivilege	8188	wevtutil.exe
Token: SeSecurityPrivilege	7784	wevtutil.exe
Token: SeBackupPrivilege	7784	wevtutil.exe
Token: SeSecurityPrivilege	7792	wevtutil.exe
Token: SeBackupPrivilege	7792	wevtutil.exe
Token: SeSecurityPrivilege	7812	wevtutil.exe
Token: SeBackupPrivilege	7812	wevtutil.exe
Token: SeSecurityPrivilege	7852	wevtutil.exe
Token: SeBackupPrivilege	7852	wevtutil.exe
Token: SeSecurityPrivilege	7976	wevtutil.exe
Token: SeBackupPrivilege	7976	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4568	3496	svchost.exe	88
PID 3496 wrote to memory of 4568	3496	svchost.exe	88
PID 3496 wrote to memory of 4064	3496	svchost.exe	91
PID 3496 wrote to memory of 4064	3496	svchost.exe	91
PID 4064 wrote to memory of 4212	4064	cmd.exe	94
PID 4064 wrote to memory of 4212	4064	cmd.exe	94
PID 3496 wrote to memory of 1944	3496	svchost.exe	93
PID 3496 wrote to memory of 1944	3496	svchost.exe	93
PID 4212 wrote to memory of 7784	4212	cmd.exe	96
PID 4212 wrote to memory of 7784	4212	cmd.exe	96
PID 4064 wrote to memory of 7812	4064	cmd.exe	98
PID 4064 wrote to memory of 7812	4064	cmd.exe	98
PID 4064 wrote to memory of 7828	4064	cmd.exe	99
PID 4064 wrote to memory of 7828	4064	cmd.exe	99
PID 4064 wrote to memory of 7844	4064	cmd.exe	100
PID 4064 wrote to memory of 7844	4064	cmd.exe	100
PID 4064 wrote to memory of 7864	4064	cmd.exe	101
PID 4064 wrote to memory of 7864	4064	cmd.exe	101
PID 4064 wrote to memory of 7928	4064	cmd.exe	102
PID 4064 wrote to memory of 7928	4064	cmd.exe	102
PID 4064 wrote to memory of 7976	4064	cmd.exe	125
PID 4064 wrote to memory of 7976	4064	cmd.exe	125
PID 4064 wrote to memory of 8104	4064	cmd.exe	106
PID 4064 wrote to memory of 8104	4064	cmd.exe	106
PID 4064 wrote to memory of 8120	4064	cmd.exe	118
PID 4064 wrote to memory of 8120	4064	cmd.exe	118
PID 4064 wrote to memory of 8140	4064	cmd.exe	130
PID 4064 wrote to memory of 8140	4064	cmd.exe	130
PID 4064 wrote to memory of 8168	4064	cmd.exe	109
PID 4064 wrote to memory of 8168	4064	cmd.exe	109
PID 4064 wrote to memory of 8184	4064	cmd.exe	110
PID 4064 wrote to memory of 8184	4064	cmd.exe	110
PID 4064 wrote to memory of 1708	4064	cmd.exe	111
PID 4064 wrote to memory of 1708	4064	cmd.exe	111
PID 4064 wrote to memory of 7824	4064	cmd.exe	112
PID 4064 wrote to memory of 7824	4064	cmd.exe	112
PID 4064 wrote to memory of 7848	4064	cmd.exe	113
PID 4064 wrote to memory of 7848	4064	cmd.exe	113
PID 4064 wrote to memory of 3192	4064	cmd.exe	114
PID 4064 wrote to memory of 3192	4064	cmd.exe	114
PID 4064 wrote to memory of 7952	4064	cmd.exe	115
PID 4064 wrote to memory of 7952	4064	cmd.exe	115
PID 4064 wrote to memory of 8092	4064	cmd.exe	116
PID 4064 wrote to memory of 8092	4064	cmd.exe	116
PID 4064 wrote to memory of 8112	4064	cmd.exe	127
PID 4064 wrote to memory of 8112	4064	cmd.exe	127
PID 4064 wrote to memory of 8120	4064	cmd.exe	118
PID 4064 wrote to memory of 8120	4064	cmd.exe	118
PID 4064 wrote to memory of 8172	4064	cmd.exe	119
PID 4064 wrote to memory of 8172	4064	cmd.exe	119
PID 4064 wrote to memory of 8188	4064	cmd.exe	120
PID 4064 wrote to memory of 8188	4064	cmd.exe	120
PID 4064 wrote to memory of 7784	4064	cmd.exe	121
PID 4064 wrote to memory of 7784	4064	cmd.exe	121
PID 4064 wrote to memory of 7792	4064	cmd.exe	122
PID 4064 wrote to memory of 7792	4064	cmd.exe	122
PID 4064 wrote to memory of 7812	4064	cmd.exe	123
PID 4064 wrote to memory of 7812	4064	cmd.exe	123
PID 4064 wrote to memory of 7852	4064	cmd.exe	124
PID 4064 wrote to memory of 7852	4064	cmd.exe	124
PID 4064 wrote to memory of 7976	4064	cmd.exe	125
PID 4064 wrote to memory of 7976	4064	cmd.exe	125
PID 4064 wrote to memory of 8072	4064	cmd.exe	126
PID 4064 wrote to memory of 8072	4064	cmd.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\windows\system32\sc.exe
  "C:\windows\system32\sc.exe" create defser binpath= "C:\Users\Admin\AppData\Local\Temp\svchost.exe" start= auto
  2⤵
  - Launches sc.exe
  PID:4568
- \??\c:\windows\system32\cmd.exe
  "c:\windows\system32\cmd.exe" /c c:\windows\logg.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "DirectShowPluginControl"
    3⤵
    - Clears Windows event logs
    PID:7976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "EndpointMapper"
    3⤵
    PID:8120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "FirstUXPerf-Analytic"
    3⤵
    PID:8140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    PID:8112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Internet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Key"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MF_MediaFoundationFrameServer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:8072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationContentProtection"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDS"
    3⤵
    PID:7868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    PID:7964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationMP4"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationMediaEngine"
    3⤵
    PID:8156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformance"
    3⤵
    PID:8080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPerformanceCore"
    3⤵
    PID:7816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPipeline"
    3⤵
    PID:7928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationPlatform"
    3⤵
    PID:8116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:8148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    - Clears Windows event logs
    PID:8164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:7856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-Client/Virtual"
    3⤵
    PID:7964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:3932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:7860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:7820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:7956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:8128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:7848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:7824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:8112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:7932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:7928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:8568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    - Clears Windows event logs
    PID:9180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:9560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:10048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-User"
    3⤵
    PID:10352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:10836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:11052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:11652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:11936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:12028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:12044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:12060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:12076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:12092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:12108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:12128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:12144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:12160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:12176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:12192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/EXE"
    3⤵
    PID:12220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/MSI"
    3⤵
    PID:12240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/Packaged"
    3⤵
    PID:12256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppLocker/Packaged"
    3⤵
    PID:12272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:11064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:11656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:11940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:12032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:12048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:12064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:7864
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:12084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:12100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:12112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:12140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:12156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:12172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:12188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:3920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:12452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:12660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:12972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:13248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:13768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application"
    3⤵
    PID:14120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:14256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:15028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:15408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:15908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:15924
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:15940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:15960
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:15976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:15992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:16008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:16024
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:16040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:16056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:16072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    - Clears Windows event logs
    PID:16092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:16108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:16124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    - Clears Windows event logs
    PID:16140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:16156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:16172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:16188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:16204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:16220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication"
    3⤵
    PID:16236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:16252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:16268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:16284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:16300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:16316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:16332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:16348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:16364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:16380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:15028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:15408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:15908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Backup"
    3⤵
    PID:15932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    - Clears Windows event logs
    PID:15944
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:15964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:15980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:15992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:16008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:16064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:19884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:19900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/BitLocker"
    3⤵
    PID:19916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/BitLocker"
    3⤵
    PID:19932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:19948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:19964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:19980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:19996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:20012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:20028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:20048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:20064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:20080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:20096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:20112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:20128
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:20144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Catalog"
    3⤵
    PID:20160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:20176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:20192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:20208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:20224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:20240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:20256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:20272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:20288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:20304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:20320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:20340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:20356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:20372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:20388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:20404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:20420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:20436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:20452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:20468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:16060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:19892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:20188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:19888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:20884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:20984
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:21236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:21440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:21684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:21832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:22080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:22592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:22608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:22824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:23088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:23920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:23940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:23956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:23972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:23992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:24012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:24028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:24056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:24072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:24088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:24108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:24124
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:24136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    - Clears Windows event logs
    PID:24148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:24164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:24180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:24196
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:24212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:24228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:24248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:24264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:24280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:24296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:24312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:24352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:24392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:24408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:24424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:24440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:24456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:24472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:24488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:24504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:24520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:24536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:23100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:23976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:24188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:24200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:24268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:24328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:24908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:25084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:25396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:25536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:26832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:28036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:28096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:28132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    - Clears Windows event logs
    PID:28184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:28208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:28224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:28244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:28264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:28296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:28312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:28328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:28344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:28360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:28376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:28392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:28416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:28432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:28448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:28464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:28480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:28496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:28512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:28532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:28548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:28564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:28584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:28600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:28616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:28632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:28648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:28664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:26832
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:28036
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:28096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:28152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:28216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:28224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:28244
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:28264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:28296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:28312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:28328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:28344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:28360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:28408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:28428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:28444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:28460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:28476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:28492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:28508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:28560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:28620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:3340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:28296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:1916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:28728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:29032
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:29172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:29300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:29176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:29304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:30116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:30132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:30372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:30420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:30568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:30660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:30572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:31144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:31296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:32212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:32232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:32272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:32288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:32304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:32324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:32340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    - Clears Windows event logs
    PID:32360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:32380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:32412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:32440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:32456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:32472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:32660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:31304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:32272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:31296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:33052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:33068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:34592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:35064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:35180
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:35424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:35812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:35824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:35892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:35912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:36328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:36352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:36368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:36384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:36400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    - Clears Windows event logs
    PID:36416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:36436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:36452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:36468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:36484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:36500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:36516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:36532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:36548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    - Clears Windows event logs
    PID:36564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:36580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:36596
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    - Clears Windows event logs
    PID:36616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:36632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:36648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:36664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:36680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:36696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:36720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:36736
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    - Clears Windows event logs
    PID:36752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:36768
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:36784
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:36800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:36820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:36836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:36852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:35828
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:35896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:35916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    - Clears Windows event logs
    PID:36332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:36360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:36372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:36388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:36404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:36420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:36444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:37224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:37240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:37328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Folder"
    3⤵
    PID:37344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:37400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:37564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:38224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:38748
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:39276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:39848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:40216
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:40232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:40248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:40264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:40280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:40296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:40312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    - Clears Windows event logs
    PID:40328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:40344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup"
    3⤵
    PID:40360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:40376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:40396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:40412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:40428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:40444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:40464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:40484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:40500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:40516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:40532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:40548
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:40572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:40588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:40608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:40624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:40640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:40656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:40672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:40688
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    - Clears Windows event logs
    PID:40700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:40716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:40800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:40908
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:40264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:40464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:40484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:40600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:40488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:41212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:41228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:41376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:41604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:41696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:41956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:41992
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:42152
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:42496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:42952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:43812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:44156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:44172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:44188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:44204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:44220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    - Clears Windows event logs
    PID:44236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:44252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:44272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:44288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    - Clears Windows event logs
    PID:44304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:44320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:44336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:44352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:44368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:44384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:44400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:44416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:44432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:44448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:44464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:44480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:44496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:44512
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:44528
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:44544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:44560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    PID:44576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:44592
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:44608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:44624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:44640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:44656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Boot"
    3⤵
    PID:44676
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:44692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:44708
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Device"
    3⤵
    PID:44724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Driver"
    3⤵
    PID:44740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-PnP/Driver"
    3⤵
    PID:44756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:44772
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:44788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:44804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:44820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:44836
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:44852
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:44868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:44884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:44900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:44916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:44932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:44948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:44964
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:44980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:44996
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:45012
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    - Clears Windows event logs
    PID:45028
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:45044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:43816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:44160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:44452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:44472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Known"
    3⤵
    PID:44540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:44552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:44644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:44752
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:44844
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:44900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:45068
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:45084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:45304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:45320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:48172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:48188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:48204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:48220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:48236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:48252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:48268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:48284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:48300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:48316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:48332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:48348
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:48364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:48380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:48396
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:48412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MUI/Operational"
    3⤵
    - Clears Windows event logs
    PID:48428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:48444
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:48460
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:48476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:48492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:48508
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:48524
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:48540
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:48556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:48572
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:48588
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:48616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:48632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:48648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:48664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:48680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:48696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:48712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:48728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:48744
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:48760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:48776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:48792
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:48808
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:48824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:48840
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:48856
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:48872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:48888
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:48904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:48920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:48936
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:48952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:48972
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:48988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    PID:49004
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:49088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:48188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:48316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:48380
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:48476
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:48492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:48600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:48700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:48788
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:49932
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:50044
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:51648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NetworkStatus/Analytic"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    PID:51648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:51648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ntfs/WHC"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:51648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:51648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OcpUpdateAgent/Operational"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:51652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:52104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:51640
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:51880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:51300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:51644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:51656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PackageStateRoaming/Analytic"
    3⤵
    PID:52096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PackageStateRoaming/Debug"
    3⤵
    PID:51880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PackageStateRoaming/Operational"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:51300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:51644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:51656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:52096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
    3⤵
    PID:51880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
    3⤵
    PID:51300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    PID:52092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:50148
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
    3⤵
    PID:51644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
    3⤵
    PID:52100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
    3⤵
    PID:21848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:51660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:52104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:52096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:51648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Policy/Operational"
    3⤵
    PID:51644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:52100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:21848
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    PID:51660
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:51296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:52104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:51644
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:52328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:52356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:52428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:52552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:52652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:52668
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:52756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:53220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:53284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:53560
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:53576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:53728
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:54008
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    - Clears Windows event logs
    PID:54084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:54136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:54280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    PID:54296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:54672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
    3⤵
    - Clears Windows event logs
    PID:54952
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    PID:54288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
    3⤵
    PID:54304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:55308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    - Clears Windows event logs
    PID:55872
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:56092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:56104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    PID:56256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:56272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:56288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:56304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:55304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:55472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:55880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/Debug"
    3⤵
    - Clears Windows event logs
    PID:56096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:56108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:56260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:56280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:56292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:56312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:54296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    PID:55428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:55884
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    - Clears Windows event logs
    PID:56092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:56112
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:56264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:56276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:56288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:56304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteApp"
    3⤵
    PID:55304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:55312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:55880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:56096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:56108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:56260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:56280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
    3⤵
    - Clears Windows event logs
    PID:56288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
    3⤵
    - Clears Windows event logs
    PID:56304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:55304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:55312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:55880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:56096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:56108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:2072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:56296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:56308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:56116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:56304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:55304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:55312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:55880
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:56096
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:56108
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    PID:2072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    PID:56296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:56304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:56336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    - Clears Windows event logs
    PID:56424
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:56440
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:56516
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:56580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:56680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:56696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBDirect/Admin"
    3⤵
    PID:56868
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBDirect/Debug"
    3⤵
    PID:56940
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBDirect/Netmon"
    3⤵
    PID:57040
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:57140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:57184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:56340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:57400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Operational"
    3⤵
    PID:57704
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:57724
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:57900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:58116
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:56692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:58656
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:58860
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:59160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:59176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:59384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    PID:59904
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:60060
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:60076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    PID:60252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:60268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:60284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Adminless/Operational"
    3⤵
    PID:60300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:60316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:60332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:60356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:60372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:60388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:60404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:59388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    PID:59916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Mitigations/KernelMode"
    3⤵
    PID:60072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Mitigations/UserMode"
    3⤵
    PID:60248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    PID:60264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:60280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    PID:57712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:60284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:60300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    - Clears Windows event logs
    PID:60316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:60344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:28636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:60360
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:60376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
    3⤵
    PID:60392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SendTo/Diagnostic"
    3⤵
    PID:60408
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:58584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:59912
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sensors/Performance"
    3⤵
    PID:60064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
    3⤵
    PID:60080
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
    3⤵
    PID:60260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:60272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:60296
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:60312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Servicing/Debug"
    3⤵
    PID:60328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-Azure/Debug"
    3⤵
    PID:60316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-Azure/Operational"
    3⤵
    PID:60344
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
    3⤵
    PID:28636
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
    3⤵
    PID:60356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
    3⤵
    PID:5064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/Analytic"
    3⤵
    PID:60376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/Debug"
    3⤵
    PID:60392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/Operational"
    3⤵
    PID:60404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SettingSync/VerboseDebug"
    3⤵
    PID:59388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:59916
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:60072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupPlatform/Analytic"
    3⤵
    PID:60248
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:60264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:60280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:57712
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
    3⤵
    PID:60284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:60300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:60332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:60364
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:4684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
    3⤵
    PID:60372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:3120
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    - Clears Windows event logs
    PID:60376
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/ActionCenter"
    3⤵
    PID:61176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/AppDefaults"
    3⤵
    PID:61576
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:61600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
    3⤵
    PID:61740
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Core/Operational"
    3⤵
    PID:62000
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:62052
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
    3⤵
    PID:62192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
    3⤵
    PID:62328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:62584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:62800
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
    3⤵
    PID:62816
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
    3⤵
    PID:63104
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:63324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SleepStudy/Diagnostic"
    3⤵
    PID:62812
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:62820
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:63624
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
    3⤵
    PID:64168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
    3⤵
    PID:64184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmartScreen/Debug"
    3⤵
    PID:64200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Audit"
    3⤵
    PID:64220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Connectivity"
    3⤵
    PID:64236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Diagnostic"
    3⤵
    PID:64252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:64268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:64284
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:64300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:64316
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Spellchecking-Host/Analytic"
    3⤵
    PID:64332
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SruMon/Diagnostic"
    3⤵
    PID:64352
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SrumTelemetry"
    3⤵
    PID:64368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Debug"
    3⤵
    PID:64384
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Diagnostic"
    3⤵
    PID:64400
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Operational"
    3⤵
    PID:64416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StateRepository/Restricted"
    3⤵
    PID:64432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:64448
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:64464
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    PID:64480
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:64496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Debug"
    3⤵
    PID:63620
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
    3⤵
    PID:63628
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ATAPort/Operational"
    3⤵
    PID:60544
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:64168
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
    3⤵
    PID:64184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Debug"
    3⤵
    PID:64200
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
    3⤵
    PID:64228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-ClassPnP/Operational"
    3⤵
    PID:64240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Admin"
    3⤵
    PID:64264
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Analytic"
    3⤵
    PID:2328
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    PID:64312
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Diagnose"
    3⤵
    PID:64416
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Disk/Operational"
    3⤵
    PID:64432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Admin"
    3⤵
    PID:64184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    PID:64236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Debug"
    3⤵
    PID:64184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Diagnose"
    3⤵
    PID:64236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Health"
    3⤵
    PID:64184
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Storport/Operational"
    3⤵
    PID:64692
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
    3⤵
    PID:64824
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storage-Tiering/Admin"
    3⤵
    PID:64892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageManagement/Debug"
    3⤵
    PID:65056
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageManagement/Operational"
    3⤵
    - Clears Windows event logs
    PID:65204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSettings/Diagnostic"
    3⤵
    PID:65392
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
    3⤵
    PID:65680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
    3⤵
    PID:65976
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
    3⤵
    PID:66048
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:66132
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
    3⤵
    PID:66564
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
    3⤵
    PID:66580
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Store/Operational"
    3⤵
    PID:66780
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Storsvc/Diagnostic"
    3⤵
    PID:67252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:67484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:67500
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:67492
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/PfApLog"
    3⤵
    PID:67948
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:67968
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysmon/Operational"
    3⤵
    PID:68144
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:68160
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
    3⤵
    PID:68176
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
    3⤵
    PID:68192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
    3⤵
    PID:68208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
    3⤵
    PID:68224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
    3⤵
    PID:68240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:68256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TCPIP/Operational"
    3⤵
    PID:68272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:68288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:68304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:68324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:68340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TTS/Diagnostic"
    3⤵
    PID:68356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TWinAPI/Diagnostic"
    3⤵
    PID:68372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TWinUI/Diagnostic"
    3⤵
    PID:68388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TWinUI/Operational"
    3⤵
    PID:68404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZSync/Analytic"
    3⤵
    PID:68420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZSync/Operational"
    3⤵
    PID:68436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:68452
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:68468
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:68484
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Maintenance"
    3⤵
    PID:68504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:68520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:68536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:68552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:68568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:68584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:68600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:67488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:67956
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:68140
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:68156
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:68172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:68188
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:68204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:68220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:68236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Admin"
    3⤵
    PID:68252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
    3⤵
    PID:68520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Debug"
    3⤵
    PID:68536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-Printers/Operational"
    3⤵
    - Clears Windows event logs
    PID:68600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:368
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:68204
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:68212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:68760
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:68776
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    - Clears Windows event logs
    PID:68900
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:69064
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:69280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    - Clears Windows event logs
    PID:69432
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    - Clears Windows event logs
    PID:68268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:69684
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:69700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Tethering-Manager/Analytic"
    3⤵
    - Clears Windows event logs
    PID:70980
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Tethering-Station/Analytic"
    3⤵
    PID:71092
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:71192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:71412
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Threat-Intelligence/Analytic"
    3⤵
    PID:71428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
    3⤵
    PID:71604
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Time-Service/Operational"
    3⤵
    PID:71700
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
    3⤵
    PID:71920
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
    3⤵
    PID:72164
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:72220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:72236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:72260
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UI-Shell/Diagnostic"
    3⤵
    PID:72276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:72292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:72308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:72324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:72340
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:72356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
    3⤵
    PID:72372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-UCX-Analytic"
    3⤵
    PID:72388
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:72404
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBHUB3-Analytic"
    3⤵
    PID:72420
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:72436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBXHCI-Analytic"
    3⤵
    PID:72456
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
    3⤵
    PID:72472
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
    3⤵
    PID:72488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72504
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72520
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72536
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72552
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72568
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72584
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72600
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User"
    3⤵
    PID:72616
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:72632
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-User-Loader/Operational"
    3⤵
    PID:72648
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserAccountControl/Diagnostic"
    3⤵
    PID:72664
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:72680
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/ActionCenter"
    3⤵
    PID:72696
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceInstall"
    3⤵
    PID:70988
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:71896
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:71928
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:72212
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxInit/Diagnostic"
    3⤵
    PID:72232
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:72252
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:72236
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:72268
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP-Analytic"
    3⤵
    PID:72280
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VHDMP-Operational"
    3⤵
    PID:72300
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VIRTDISK-Analytic"
    3⤵
    PID:72436
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VPN-Client/Operational"
    3⤵
    PID:72532
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VPN/Operational"
    3⤵
    PID:72652
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
    3⤵
    PID:72228
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
    3⤵
    PID:72220
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-Volume/Diagnostic"
    3⤵
    PID:72276
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:72756
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
    3⤵
    PID:72876
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:73076
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:73292
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:73308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WCNWiz/Analytic"
    3⤵
    PID:73428
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WEPHOSTSVC/Operational"
    3⤵
    PID:73488
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WER-PayloadHealth/Operational"
    3⤵
    PID:73672
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:73804
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:74072
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:74088
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:74172
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-Driver/Analytic"
    3⤵
    PID:74308
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
    3⤵
    PID:74324
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:74716
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Debug"
    3⤵
    PID:75084
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Operational"
    3⤵
    PID:75100
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:75556
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:75720
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:75892
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:76136
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSS-Service/Operational"
    3⤵
    PID:76192
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:76208
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-API/Analytic"
    3⤵
    PID:76224
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    - Clears Windows event logs
    PID:76240
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:76256
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:76272
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:76288
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPBT/Analytic"
    3⤵
    PID:76304
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
    3⤵
    PID:76320
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:76336
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPIP/Analytic"
    3⤵
    PID:76356
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WPD-MTPUS/Analytic"
    3⤵
    PID:76372
- - C:\Windows\system32\wevtutil.exe
    wevtutil cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:76388
- \??\c:\Windows\system32\vssadmin.exe
  "c:\Windows\system32\vssadmin.exe" Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\res\st

Filesize
14B

MD5
f4bfd795a8c2874236f751664437aec0

SHA1
cf985b4afeb3743128020a72868683cbb2673064

SHA256
6457e01a13a6b6319578322a1c67b19e82054474108f5bbebc9805068bfb8b81

SHA512
4268acdc55c4f6119bd0935858b9f3ca6e9163a2898c52dccdd261091f052bb80a3bebb09c7cadbe84a05c70f3fd3cc8a9adeb41c6663ebbc824e79834cab55e

Download Submit
F:\Ranger3X\5148942415o

Filesize
2KB

MD5
f3bc7c767aaf2266547f4b8d5c14afa2

SHA1
242ba2bba1c39c4cb0a070de6c953bc9188fc6fb

SHA256
991d6d859b5acd88bca76744c03bb9c49f91203550afa4b3a0b7f58cd57ac733

SHA512
702a9ddda0bee5d612fbd3c31cdb971bd3f44279da3cc807d986b77778b207de8f3cc35983c555b470c87c2d9612d924d26c7f6affb3d8f5158be71013b557ae

Download Submit
F:\Ranger3X\70467627563s

Filesize
2KB

MD5
210c50e8d330d0673cfcec684f892fd8

SHA1
6268f593b2caf5df8dcb749e5c9929b3d751454b

SHA256
08ab32a42b4ae5c6ef81e2126e39fe02865b2e9e3bc7147f7977c94ff553db59

SHA512
b378e265dfe15065cd621e5c765b0f06e8204a4018b70c8ff0ba5dbbc0c452872d10c5375d3c0701af1c26f075efcc55f3ef807e6e13743b87e3199cf7f170ab

Download Submit
\??\c:\programdata\res\hds

Filesize
20B

MD5
cd54435e458224102b4fcb29f6c09cbd

SHA1
2dc1c7a106446d4e709d48a7f087fea70f4bb867

SHA256
e7b7aefd3dbd0d53838f5855a1948b9d51537828e088769281d501e7f31f64cc

SHA512
15842abd027f7c2632276ca4b0b3c4341fba3ddd26310c71ccb8ed7f175a20fc4cf4934d6f642f43c22add8d98927c6a18e36ced3db72e7d88480715ea2e5f40

Download Submit
\??\c:\users\admin\appdata\local\temp\mscore.dll

Filesize
556B

MD5
5298df38e56949f4e49b4e6c2d214839

SHA1
8cb039d0c4effff89179af614caa7f9df24a894b

SHA256
a1e93c0b758f13013a41a642b42007e16748c59a449fa00f45837647e07ffa17

SHA512
1b4b010c4f72043ff9c83a82354199cb07d72d69d436fe5ee44c27c2bb3fd784938c9b1240c2c8c0e926ad956465bebaffb48fe5475b9295c40d8236f0ff23c9

Download Submit
\??\c:\windows\logg.bat

Filesize
50B

MD5
837f9483a4d9fb834d75537beb1c9488

SHA1
7421df5e92fbd2ef04eac5ede4397e4b87a3b7c2

SHA256
ec64e2a730d0e32ff61a98f34ffdda69ea172234f8f432b95766e38c0f898e2d

SHA512
37aa585177f560cd8d7b60303e820a7fa08f1a73d5fb79a6bae1f2c14e11d0f2d573059eb4e5c4bccb5021b336531d1eb3076a357b75a02c56570585a271cc69

Download Submit