cerber | 628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb

Analysis

max time kernel
123s
max time network
403s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2024 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1buttonBETA10-22b.exe
Size

31.9MB
MD5

a48537d35ede9fe4d15b0818870c6ff2
SHA1

e760863c4db17e55e72ba507ebb22a5b9396c304
SHA256

628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb
SHA512

c6556320d20a051cbfe08febbdf80ff3168b4a7654ce1d77bada1329d499497462cef1d978abfa95d064dac49eb14dc7e914d0b9391aec6546991d499f3aaf97
SSDEEP

786432:LCnT9Z2zDfgQwtKa41MOYS0ndZNEMans/GtxeUVMGHKc6j:YLSMQwwa41ro9EManrtxTMx

Score

10^/10

cerber evasion ransomware spyware stealer

Malware Config

Signatures

Cerber 26 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	ioc	process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
4048	taskkill.exe
3064	taskkill.exe
3868	taskkill.exe
4680	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
3332	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}

Deletes NTFS Change Journal 2 TTPs 9 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485

Processes:

fsutil.exefsutil.exefsutil.exe

pid process

2052
4048
3224
4048
4048 fsutil.exe
3224 fsutil.exe
3224
2052 fsutil.exe
2052

pid	process
2052
4048
3224
4048
4048	fsutil.exe
3224	fsutil.exe
3224
2052	fsutil.exe
2052

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
4548
4616	wevtutil.exe
4756
1904
3396
2388	wevtutil.exe
3792	wevtutil.exe
4736
4668	wevtutil.exe
2152
4984	wevtutil.exe
3188
4192	wevtutil.exe
2996
2128
3828	wevtutil.exe
2560
3384	wevtutil.exe
1064	wevtutil.exe
4616
3224	wevtutil.exe
300
1692
4828
2276	wevtutil.exe
4876
2624	wevtutil.exe
1416
3332
4728
1352
2264
3196	wevtutil.exe
4948
1380
1728
4012	wevtutil.exe
4344
1728
3944
1460	wevtutil.exe
1060	wevtutil.exe
3828
4404
4900
4472
868
4400	wevtutil.exe
3788
1964
2968
3944
4748
2720
1472
2888
4916	wevtutil.exe
2796
3124
3632
1464
3016	wevtutil.exe
4560
2288

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Drivers directory 24 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 3 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Executes dropped EXE 64 IoCs

Processes:

FIXusrTEMPv6.exeddc.execleanerOLD1.exeCleaner8.exeAdvancedEventCleaner.exe

pid	process
2192	FIXusrTEMPv6.exe
228	ddc.exe
1636	cleanerOLD1.exe
3788	Cleaner8.exe
3432	AdvancedEventCleaner.exe
3396
3168
2356
1940
1652
4380
4948
1180
4344
2024
5016
1352
1636
2584
3800
5060
3332
1924
1768
2056
2192
228
1636
3788
3432
3396
3168
2356
1940
1652
4380
4948
1180
4344
2024
5016
1352
1636
2584
3800
5060
3332
1924
1768
2056
2192
228
1636
3788
3432
3396
3168
2356
1940
1652
4380
4948
1180
4344

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 64 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini
File opened for modification	C:\Users\Admin\Videos\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
File opened for modification	C:\Users\Admin\Downloads\desktop.ini
File opened for modification	C:\Users\Admin\Favorites\desktop.ini
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini
File opened for modification	C:\Users\Admin\Documents\desktop.ini
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini
File opened for modification	C:\Users\Admin\Music\desktop.ini
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini
File opened for modification	C:\Users\Public\Music\desktop.ini
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini
File opened for modification	C:\Users\Public\Documents\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini
File opened for modification	C:\Users\Admin\Documents\desktop.ini
File opened for modification	C:\Users\Public\Desktop\desktop.ini
File opened for modification	C:\Users\Public\Documents\desktop.ini
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini
File opened for modification	C:\Users\Public\desktop.ini
File opened for modification	C:\Users\Public\Downloads\desktop.ini
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

fsutil.exefsutil.exe

description	ioc	process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe
File opened (read-only)	\??\D:
File opened (read-only)	\??\E:
File opened (read-only)	\??\D:
File opened (read-only)	\??\E:

Checks system information in the registry 2 TTPs 3 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ddc.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ddc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName

Drops file in System32 directory 27 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Windows\System32\spp\store
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA
File opened for modification	C:\Windows\system32\wbem\repository
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	Cleaner8.exe
File opened for modification	C:\Windows\System32\spp\store	Cleaner8.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP
File opened for modification	C:\Windows\System32\spp\store
File opened for modification	C:\Windows\system32\wbem\repository
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt
File opened for modification	C:\Windows\system32\wbem\repository
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP

Drops file in Windows directory 64 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BCB4814.pf
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db
File opened for modification	C:\Windows\Prefetch\AgRobust.db
File opened for modification	C:\Windows\Prefetch\ReadyBoot
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-23EA2E5B.pf
File opened for modification	C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1589E4C3.pf
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-23EA2E5B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf
File opened for modification	C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf
File opened for modification	C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-9B2E43E1.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-9B2E43E1.pf
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf
File opened for modification	C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf
File opened for modification	C:\Windows\Prefetch\DISMHOST.EXE-74279480.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-D9106866.pf
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf

Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

4448
5116 sc.exe
4448 sc.exe
5116
4448
5116
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4448
5116	sc.exe
4448	sc.exe
5116
4448
5116

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Cleaner8.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "bbb14ee5-c1f8ba3c-1"
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "bbb14ee5-c1f8ba3c-1"	Cleaner8.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "bbb14ee5-c1f8ba3c-1"
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe

Gathers network information 2 TTPs 9 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

pid process

3196
2796
2796
2796
1304
1304
3196
1304
3196
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1448 vssadmin.exe
1448
1448

pid	process
3196
2796
2796
2796
1304
1304
3196
1304
3196

pid	process
1448	vssadmin.exe
1448
1448

Kills process with taskkill 24 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
3332	taskkill.exe
336
3064
3332
4048
3868
3256
4048
4680	taskkill.exe
4048	taskkill.exe
3868	taskkill.exe
928
3868
3256
928
3064	taskkill.exe
3256
3064
4680
336
336
4680
3332
928

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

Cleaner8.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = be82cb62b42a75c0	Cleaner8.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = be82cb62b42a75c0
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = be82cb62b42a75c0

Modifies registry key 1 TTPs 6 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

4892 reg.exe
2972 reg.exe
4892
2972
4892
2972
Runs net.exe

pid	process
4892	reg.exe
2972	reg.exe
4892
2972
4892
2972

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
1584
1124
1644
2936
4004
4436
1640
4992
2104
2936
2772
808
2344
2884
1644
2772
4320
4348
2936
1584
1852	PING.EXE
808
4992
2972
4992
4396
4732
1852
3200
3760
2056	PING.EXE
4024
4320
4024
4732
1124
3572
4348
2104
2056
4416
780
2972
1064
2884
4436
4416
2056
3200
3760
2344
1064
4348
4024
4320	PING.EXE
3760
2772
1640
4436
1584
4732	PING.EXE
3200	PING.EXE
3572
4004

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

cleanerOLD1.exeCleaner8.exe

pid	process
1636	cleanerOLD1.exe
1636	cleanerOLD1.exe
3788	Cleaner8.exe
3788	Cleaner8.exe
3396
3396
2056
2056
1636
1636
3788
3788
3396
3396
2056
2056
1636
1636
3788
3788
3396
3396
2056
2056

Suspicious behavior: LoadsDriver 63 IoCs

Processes:

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.execleanerOLD1.exeCleaner8.exevssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	4048	taskkill.exe
Token: SeDebugPrivilege	3064	taskkill.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeDebugPrivilege	3868	taskkill.exe
Token: SeDebugPrivilege	1636	cleanerOLD1.exe
Token: SeTakeOwnershipPrivilege	3788	Cleaner8.exe
Token: SeBackupPrivilege	1760	vssvc.exe
Token: SeRestorePrivilege	1760	vssvc.exe
Token: SeAuditPrivilege	1760	vssvc.exe
Token: SeSecurityPrivilege	2288	wevtutil.exe
Token: SeBackupPrivilege	2288	wevtutil.exe
Token: SeSecurityPrivilege	4876	wevtutil.exe
Token: SeBackupPrivilege	4876	wevtutil.exe
Token: SeSecurityPrivilege	2200	wevtutil.exe
Token: SeBackupPrivilege	2200	wevtutil.exe
Token: SeSecurityPrivilege	4712	wevtutil.exe
Token: SeBackupPrivilege	4712	wevtutil.exe
Token: SeSecurityPrivilege	4504	wevtutil.exe
Token: SeBackupPrivilege	4504	wevtutil.exe
Token: SeSecurityPrivilege	4396	wevtutil.exe
Token: SeBackupPrivilege	4396	wevtutil.exe
Token: SeSecurityPrivilege	1708	wevtutil.exe
Token: SeBackupPrivilege	1708	wevtutil.exe
Token: SeSecurityPrivilege	4816	wevtutil.exe
Token: SeBackupPrivilege	4816	wevtutil.exe
Token: SeSecurityPrivilege	5092	wevtutil.exe
Token: SeBackupPrivilege	5092	wevtutil.exe
Token: SeSecurityPrivilege	4920	wevtutil.exe
Token: SeBackupPrivilege	4920	wevtutil.exe
Token: SeSecurityPrivilege	4556	wevtutil.exe
Token: SeBackupPrivilege	4556	wevtutil.exe
Token: SeSecurityPrivilege	4548	wevtutil.exe
Token: SeBackupPrivilege	4548	wevtutil.exe
Token: SeSecurityPrivilege	1164	wevtutil.exe
Token: SeBackupPrivilege	1164	wevtutil.exe
Token: SeSecurityPrivilege	3048	wevtutil.exe
Token: SeBackupPrivilege	3048	wevtutil.exe
Token: SeSecurityPrivilege	852	wevtutil.exe
Token: SeBackupPrivilege	852	wevtutil.exe
Token: SeSecurityPrivilege	2948	wevtutil.exe
Token: SeBackupPrivilege	2948	wevtutil.exe
Token: SeSecurityPrivilege	4608	wevtutil.exe
Token: SeBackupPrivilege	4608	wevtutil.exe
Token: SeSecurityPrivilege	1180	wevtutil.exe
Token: SeBackupPrivilege	1180	wevtutil.exe
Token: SeSecurityPrivilege	468	wevtutil.exe
Token: SeBackupPrivilege	468	wevtutil.exe
Token: SeSecurityPrivilege	1160	wevtutil.exe
Token: SeBackupPrivilege	1160	wevtutil.exe
Token: SeSecurityPrivilege	3632	wevtutil.exe
Token: SeBackupPrivilege	3632	wevtutil.exe
Token: SeSecurityPrivilege	440	wevtutil.exe
Token: SeBackupPrivilege	440	wevtutil.exe
Token: SeSecurityPrivilege	2120	wevtutil.exe
Token: SeBackupPrivilege	2120	wevtutil.exe
Token: SeSecurityPrivilege	2020	wevtutil.exe
Token: SeBackupPrivilege	2020	wevtutil.exe
Token: SeSecurityPrivilege	3944	wevtutil.exe
Token: SeBackupPrivilege	3944	wevtutil.exe
Token: SeSecurityPrivilege	432	wevtutil.exe
Token: SeBackupPrivilege	432	wevtutil.exe
Token: SeSecurityPrivilege	1676	wevtutil.exe
Token: SeBackupPrivilege	1676	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1buttonBETA10-22b.execmd.exeFIXusrTEMPv6.execmd.execmd.exe

description	pid	process	target process
PID 4356 wrote to memory of 4076	4356	1buttonBETA10-22b.exe	cmd.exe
PID 4356 wrote to memory of 4076	4356	1buttonBETA10-22b.exe	cmd.exe
PID 4076 wrote to memory of 4680	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 4680	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 4048	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 4048	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 3064	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 3064	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 3332	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 3332	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 3868	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 3868	4076	cmd.exe	taskkill.exe
PID 4076 wrote to memory of 5116	4076	cmd.exe	sc.exe
PID 4076 wrote to memory of 5116	4076	cmd.exe	sc.exe
PID 4076 wrote to memory of 4448	4076	cmd.exe	sc.exe
PID 4076 wrote to memory of 4448	4076	cmd.exe	sc.exe
PID 4076 wrote to memory of 4500	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 4500	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 1692	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 1692	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 2652	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 2652	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 3452	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 3452	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 4568	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 4568	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 1356	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 1356	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 4892	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 4892	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 2972	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 2972	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 3508	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 3508	4076	cmd.exe	reg.exe
PID 4076 wrote to memory of 3740	4076	cmd.exe	ARP.EXE
PID 4076 wrote to memory of 3740	4076	cmd.exe	ARP.EXE
PID 4076 wrote to memory of 2192	4076	cmd.exe	FIXusrTEMPv6.exe
PID 4076 wrote to memory of 2192	4076	cmd.exe	FIXusrTEMPv6.exe
PID 4076 wrote to memory of 4732	4076	cmd.exe	PING.EXE
PID 4076 wrote to memory of 4732	4076	cmd.exe	PING.EXE
PID 2192 wrote to memory of 1628	2192	FIXusrTEMPv6.exe	cmd.exe
PID 2192 wrote to memory of 1628	2192	FIXusrTEMPv6.exe	cmd.exe
PID 1628 wrote to memory of 2056	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 2056	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 4320	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 4320	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1852	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 1852	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 3200	1628	cmd.exe	PING.EXE
PID 1628 wrote to memory of 3200	1628	cmd.exe	PING.EXE
PID 4076 wrote to memory of 228	4076	cmd.exe	ddc.exe
PID 4076 wrote to memory of 228	4076	cmd.exe	ddc.exe
PID 4076 wrote to memory of 228	4076	cmd.exe	ddc.exe
PID 4076 wrote to memory of 1124	4076	cmd.exe	PING.EXE
PID 4076 wrote to memory of 1124	4076	cmd.exe	PING.EXE
PID 4076 wrote to memory of 5016	4076	cmd.exe	cmd.exe
PID 4076 wrote to memory of 5016	4076	cmd.exe	cmd.exe
PID 4076 wrote to memory of 4728	4076	cmd.exe	cmd.exe
PID 4076 wrote to memory of 4728	4076	cmd.exe	cmd.exe
PID 4728 wrote to memory of 1636	4728	cmd.exe	cleanerOLD1.exe
PID 4728 wrote to memory of 1636	4728	cmd.exe	cleanerOLD1.exe
PID 4728 wrote to memory of 1636	4728	cmd.exe	cleanerOLD1.exe
PID 4076 wrote to memory of 3512	4076	cmd.exe	cmd.exe
PID 4076 wrote to memory of 3512	4076	cmd.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe
"C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\920E.tmp\921F.tmp\9220.bat C:\Users\Admin\AppData\Local\Temp\1buttonBETA10-22b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EasyAntiCheat.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im BEService_x64.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im EpicGamesLauncher.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3332
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
    3⤵
    - Cerber
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3868
- - C:\Windows\system32\sc.exe
    sc stop BEService
    3⤵
    - Launches sc.exe
    PID:5116
- - C:\Windows\system32\sc.exe
    sc stop EasyAntiCheat
    3⤵
    - Launches sc.exe
    PID:4448
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
    3⤵
    PID:4500
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
    3⤵
    PID:1692
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
    3⤵
    PID:2652
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
    3⤵
    PID:3452
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:4568
- - C:\Windows\system32\reg.exe
    reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
    3⤵
    PID:1356
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 10407 /f
    3⤵
    - Modifies registry key
    PID:4892
- - C:\Windows\system32\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 986 /f
    3⤵
    - Modifies registry key
    PID:2972
- - C:\Windows\system32\reg.exe
    reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
    3⤵
    PID:3508
- - C:\Windows\system32\ARP.EXE
    arp -d
    3⤵
    PID:3740
- - C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
    "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B565.tmp\B566.tmp\B567.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        Runs ping.exe
        
        PID:2056
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        Runs ping.exe
        
        PID:4320
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        Runs ping.exe
        
        PID:1852
    - - C:\Windows\system32\PING.EXE
        
        ping /n 2 localhost
        5⤵
        Runs ping.exe
        
        PID:3200
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    - Runs ping.exe
    PID:4732
- - C:\Users\Admin\AppData\Roaming\ddc.exe
    C:\Users\Admin\AppData\Roaming\ddc.exe b /target:c:\DriverBackup4u
    3⤵
    - Executes dropped EXE
    - Checks system information in the registry
    PID:228
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
      "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""
    3⤵
    PID:1872
  - - C:\Users\Admin\AppData\Roaming\Cleaner8.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in System32 directory
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
        5⤵
        
        PID:2388
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d C:
        6⤵
        Deletes NTFS Change Journal
        
        PID:2052
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
        5⤵
        
        PID:3952
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d D:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:4048
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
        5⤵
        
        PID:4432
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d E:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:3224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        5⤵
        
        PID:4692
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:1448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        5⤵
        
        PID:4968
      - C:\Windows\system32\net.exe
        
        net stop winmgmt /Y
        6⤵
        
        PID:4832
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        7⤵
        
        PID:1620
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        5⤵
        
        PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:3512
- - C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
    "C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
    3⤵
    - Executes dropped EXE
    PID:3432
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\23B0.tmp\23B1.tmp\23B2.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
      4⤵
      PID:544
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        5⤵
        
        PID:2896
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit
        6⤵
        
        PID:3792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        5⤵
        
        PID:1232
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AMSI/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AirSpaceChannel"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "FirstUXPerf-Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "General Logging"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "IHM_DebugChannel"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationFrameServer"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProc"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProcD3D"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationAsyncWrapper"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationContentProtection"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDS"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        5⤵
        
        PID:4328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMP4"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMediaEngine"
        5⤵
        
        PID:2936
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformanceCore"
        5⤵
        
        PID:5060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        5⤵
        
        PID:1100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationSrcPrefetch"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
        5⤵
        Clears Windows event logs
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Admin"
        5⤵
        
        PID:4048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Debug"
        5⤵
        
        PID:2604
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Operational"
        5⤵
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
        5⤵
        
        PID:3612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:3428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
        5⤵
        
        PID:2184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:3340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
        5⤵
        
        PID:3740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        5⤵
        
        PID:2056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        5⤵
        
        PID:3148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
        5⤵
        
        PID:636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
        5⤵
        
        PID:3348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        5⤵
        
        PID:4564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        5⤵
        
        PID:4668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
        5⤵
        
        PID:1852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:1408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:3396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
        5⤵
        
        PID:2092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
        5⤵
        
        PID:1064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
        5⤵
        
        PID:4148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
        5⤵
        
        PID:1964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
        5⤵
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
        5⤵
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        5⤵
        
        PID:5092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
        5⤵
        
        PID:664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppSruProv"
        5⤵
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
        5⤵
        
        PID:1372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
        5⤵
        
        PID:2948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
        5⤵
        
        PID:4344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        5⤵
        
        PID:3448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
        5⤵
        
        PID:1160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
        5⤵
        
        PID:1688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
        5⤵
        
        PID:2272
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:2872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:4376
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:3460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        5⤵
        
        PID:4952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:1060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:1636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        5⤵
        
        PID:4940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        
        PID:3828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
        5⤵
        
        PID:388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
        5⤵
        Clears Windows event logs
        
        PID:1460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
        5⤵
        
        PID:4744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
        5⤵
        
        PID:3896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
        5⤵
        
        PID:4756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
        5⤵
        
        PID:3224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
        5⤵
        
        PID:4432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        5⤵
        
        PID:304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
        5⤵
        
        PID:2184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
        5⤵
        
        PID:3340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        5⤵
        
        PID:3740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
        5⤵
        
        PID:2036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
        5⤵
        
        PID:4828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
        5⤵
        
        PID:2468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
        5⤵
        
        PID:4468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
        5⤵
        
        PID:4848
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        5⤵
        
        PID:2220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
        5⤵
        
        PID:3300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
        5⤵
        
        PID:1852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
        5⤵
        
        PID:1408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        5⤵
        
        PID:3396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        5⤵
        
        PID:964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
        5⤵
        
        PID:2092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
        5⤵
        
        PID:1064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
        5⤵
        
        PID:3792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        5⤵
        
        PID:4148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        5⤵
        
        PID:1964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        5⤵
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
        5⤵
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
        5⤵
        
        PID:5092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        5⤵
        
        PID:664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
        5⤵
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Call"
        5⤵
        
        PID:1372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
        5⤵
        
        PID:2948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
        5⤵
        
        PID:4344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
        5⤵
        
        PID:4860
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
        5⤵
        
        PID:4024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
        5⤵
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        5⤵
        
        PID:2120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        5⤵
        
        PID:2872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        5⤵
        
        PID:4376
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
        5⤵
        
        PID:3460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
        5⤵
        
        PID:4952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        5⤵
        
        PID:1060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
        5⤵
        
        PID:1636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
        5⤵
        
        PID:4940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        5⤵
        
        PID:1380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        5⤵
        
        PID:4328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        5⤵
        
        PID:3520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        5⤵
        
        PID:3828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
        5⤵
        
        PID:928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
        5⤵
        
        PID:3896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
        5⤵
        
        PID:4756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
        5⤵
        
        PID:4432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
        5⤵
        
        PID:304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        5⤵
        
        PID:2184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
        5⤵
        
        PID:2556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
        5⤵
        
        PID:2152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
        5⤵
        
        PID:3148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
        5⤵
        
        PID:636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        5⤵
        
        PID:3348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        5⤵
        
        PID:4564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        5⤵
        
        PID:1324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
        5⤵
        
        PID:2056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        5⤵
        
        PID:964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
        5⤵
        
        PID:2092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
        5⤵
        
        PID:4720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        5⤵
        
        PID:436
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        5⤵
        
        PID:2352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        5⤵
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
        5⤵
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        5⤵
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
        5⤵
        
        PID:3980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
        5⤵
        Clears Windows event logs
        
        PID:2624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        5⤵
        
        PID:4948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
        5⤵
        
        PID:4608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
        5⤵
        
        PID:1124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
        5⤵
        
        PID:3448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
        5⤵
        
        PID:4344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
        5⤵
        
        PID:2996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
        5⤵
        
        PID:3944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
        5⤵
        
        PID:1676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        5⤵
        
        PID:3360
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
        5⤵
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        5⤵
        
        PID:4052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        5⤵
        
        PID:2936
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        5⤵
        
        PID:1228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        5⤵
        
        PID:4944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        5⤵
        
        PID:4436
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        5⤵
        
        PID:4756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        5⤵
        
        PID:1448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        5⤵
        
        PID:2924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        5⤵
        
        PID:3264
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        5⤵
        
        PID:3740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        5⤵
        
        PID:2128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        5⤵
        
        PID:2036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        5⤵
        
        PID:2592
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        5⤵
        
        PID:5108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        5⤵
        
        PID:5072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        5⤵
        
        PID:2220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        5⤵
        
        PID:3300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        5⤵
        
        PID:1408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
        5⤵
        
        PID:3396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
        5⤵
        
        PID:3512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
        5⤵
        
        PID:2796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
        5⤵
        
        PID:2092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        5⤵
        
        PID:2276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        5⤵
        
        PID:1696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        5⤵
        
        PID:4876
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
        5⤵
        
        PID:2968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
        5⤵
        
        PID:4972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        5⤵
        
        PID:5076
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        5⤵
        
        PID:3424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        5⤵
        
        PID:4084
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
        5⤵
        
        PID:2536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        5⤵
        
        PID:2428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
        5⤵
        
        PID:4380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
        5⤵
        
        PID:2988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
        5⤵
        
        PID:780
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
        5⤵
        
        PID:2832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
        5⤵
        
        PID:852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
        5⤵
        
        PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
        5⤵
        
        PID:1600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
        5⤵
        
        PID:1180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        5⤵
        
        PID:4204
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        5⤵
        
        PID:64
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
        5⤵
        
        PID:1160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        5⤵
        
        PID:1688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
        5⤵
        
        PID:2272
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
        5⤵
        
        PID:2024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        5⤵
        
        PID:2772
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
        5⤵
        
        PID:5016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
        5⤵
        
        PID:3460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        5⤵
        
        PID:1080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        5⤵
        
        PID:3096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
        5⤵
        
        PID:3028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
        5⤵
        
        PID:2544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
        5⤵
        
        PID:4560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        5⤵
        
        PID:4864
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
        5⤵
        
        PID:1644
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        5⤵
        
        PID:5060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        5⤵
        
        PID:1100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        5⤵
        
        PID:4008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        5⤵
        
        PID:4744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        5⤵
        
        PID:3904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        5⤵
        
        PID:3296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        5⤵
        
        PID:1796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
        5⤵
        
        PID:4048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
        5⤵
        
        PID:2604
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
        5⤵
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
        5⤵
        
        PID:1412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
        5⤵
        
        PID:4432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
        5⤵
        
        PID:972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
        5⤵
        
        PID:3868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
        5⤵
        
        PID:4760
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
        5⤵
        
        PID:4684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
        5⤵
        
        PID:3428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
        5⤵
        
        PID:3256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
        5⤵
        
        PID:2944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
        5⤵
        
        PID:1000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
        5⤵
        
        PID:4124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
        5⤵
        
        PID:3340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
        5⤵
        
        PID:2332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
        5⤵
        
        PID:3660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
        5⤵
        
        PID:680
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        5⤵
        
        PID:2124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        5⤵
        
        PID:4268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        5⤵
        
        PID:4320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        5⤵
        
        PID:3016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        5⤵
        
        PID:1872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
        5⤵
        
        PID:3388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
        5⤵
        
        PID:2896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
        5⤵
        
        PID:4720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
        5⤵
        
        PID:32
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
        5⤵
        
        PID:2264
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
        5⤵
        
        PID:3928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
        5⤵
        
        PID:2504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
        5⤵
        
        PID:1464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
        5⤵
        
        PID:4372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
        5⤵
        
        PID:1172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
        5⤵
        
        PID:3876
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
        5⤵
        
        PID:5092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
        5⤵
        
        PID:664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
        5⤵
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
        5⤵
        
        PID:4948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
        5⤵
        
        PID:2948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
        5⤵
        
        PID:3124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
        5⤵
        
        PID:4984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
        5⤵
        
        PID:4024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
        5⤵
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
        5⤵
        
        PID:2120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
        5⤵
        
        PID:2872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
        5⤵
        
        PID:2720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
        5⤵
        
        PID:4420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        5⤵
        
        PID:2884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
        5⤵
        
        PID:4888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
        5⤵
        
        PID:4532
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
        5⤵
        
        PID:2360
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
        5⤵
        
        PID:1728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
        5⤵
        
        PID:4940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
        5⤵
        
        PID:4328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        5⤵
        
        PID:3520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        5⤵
        Clears Windows event logs
        
        PID:3828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        5⤵
        
        PID:3988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        5⤵
        
        PID:928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
        5⤵
        
        PID:4680
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        5⤵
        
        PID:4336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
        5⤵
        
        PID:1300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
        5⤵
        
        PID:640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
        5⤵
        
        PID:3232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
        5⤵
        
        PID:4748
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        5⤵
        
        PID:3896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        5⤵
        
        PID:4756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
        5⤵
        
        PID:1448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        5⤵
        
        PID:2924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
        5⤵
        
        PID:2184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
        5⤵
        
        PID:2556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
        5⤵
        
        PID:2752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
        5⤵
        
        PID:636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        5⤵
        
        PID:3348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        5⤵
        
        PID:4564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:4668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
        5⤵
        
        PID:2056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        5⤵
        
        PID:3076
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        5⤵
        
        PID:3476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        5⤵
        
        PID:2952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        5⤵
        
        PID:3444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
        5⤵
        
        PID:4148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
        5⤵
        
        PID:2352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
        5⤵
        
        PID:1472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
        5⤵
        
        PID:2264
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
        5⤵
        
        PID:3932
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
        5⤵
        
        PID:4028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
        5⤵
        
        PID:4300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
        5⤵
        
        PID:2916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
        5⤵
        
        PID:3980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
        5⤵
        
        PID:2624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
        5⤵
        
        PID:852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
        5⤵
        
        PID:4608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
        5⤵
        
        PID:3448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
        5⤵
        
        PID:2996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
        5⤵
        
        PID:808
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
        5⤵
        
        PID:1564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        5⤵
        
        PID:1636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
        5⤵
        
        PID:1784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        5⤵
        
        PID:4940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        5⤵
        
        PID:1380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
        5⤵
        
        PID:3988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
        5⤵
        
        PID:1228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
        5⤵
        
        PID:4944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
        5⤵
        
        PID:3972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
        5⤵
        
        PID:864
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
        5⤵
        
        PID:3384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
        5⤵
        
        PID:4256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
        5⤵
        
        PID:336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        5⤵
        
        PID:3224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
        5⤵
        
        PID:292
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
        5⤵
        
        PID:2336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
        5⤵
        
        PID:4124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
        5⤵
        
        PID:3660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
        5⤵
        
        PID:3144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
        5⤵
        
        PID:3348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
        5⤵
        Clears Windows event logs
        
        PID:3016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
        5⤵
        
        PID:3788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
        5⤵
        
        PID:1872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
        5⤵
        
        PID:2796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
        5⤵
        
        PID:3388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
        5⤵
        
        PID:2352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
        5⤵
        
        PID:2264
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4400
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
        5⤵
        
        PID:1664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
        5⤵
        
        PID:4028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
        5⤵
        
        PID:4300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
        5⤵
        
        PID:2916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
        5⤵
        
        PID:1224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
        5⤵
        
        PID:3980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
        5⤵
        
        PID:1560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
        5⤵
        
        PID:2096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
        5⤵
        
        PID:1600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
        5⤵
        
        PID:1180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
        5⤵
        
        PID:468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
        5⤵
        
        PID:3760
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
        5⤵
        
        PID:868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
        5⤵
        
        PID:808
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
        5⤵
        
        PID:1564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
        5⤵
        
        PID:3360
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
        5⤵
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
        5⤵
        
        PID:3188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        5⤵
        
        PID:1784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        5⤵
        
        PID:4940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
        5⤵
        
        PID:4328
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
        5⤵
        
        PID:4188
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
        5⤵
        
        PID:3828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
        5⤵
        
        PID:928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
        5⤵
        
        PID:1100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
        5⤵
        
        PID:4008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
        5⤵
        
        PID:3972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
        5⤵
        
        PID:864
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        5⤵
        Clears Windows event logs
        
        PID:3384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
        5⤵
        
        PID:4256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
        5⤵
        
        PID:336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
        5⤵
        
        PID:1052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
        5⤵
        
        PID:3224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
        5⤵
        
        PID:2336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
        5⤵
        
        PID:4124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
        5⤵
        
        PID:3660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
        5⤵
        
        PID:3144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
        5⤵
        
        PID:3348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
        5⤵
        
        PID:3016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
        5⤵
        
        PID:3788
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
        5⤵
        
        PID:2796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
        5⤵
        
        PID:3388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
        5⤵
        
        PID:1980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
        5⤵
        
        PID:3344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
        5⤵
        
        PID:4404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
        5⤵
        
        PID:5076
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
        5⤵
        
        PID:4000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
        5⤵
        
        PID:1652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
        5⤵
        
        PID:1708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        5⤵
        
        PID:4592
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        5⤵
        
        PID:4380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
        5⤵
        
        PID:2988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
        5⤵
        
        PID:448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
        5⤵
        
        PID:664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
        5⤵
        
        PID:4348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
        5⤵
        
        PID:852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
        5⤵
        
        PID:4608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
        5⤵
        
        PID:3124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
        5⤵
        
        PID:4344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
        5⤵
        
        PID:1160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
        5⤵
        
        PID:1688
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
        5⤵
        
        PID:2272
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
        5⤵
        
        PID:2024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
        5⤵
        
        PID:3944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
        5⤵
        
        PID:5016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
        5⤵
        
        PID:1068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
        5⤵
        
        PID:4952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
        5⤵
        Clears Windows event logs
        
        PID:1060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
        5⤵
        
        PID:2560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
        5⤵
        
        PID:1636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
        5⤵
        
        PID:5048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
        5⤵
        
        PID:3892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
        5⤵
        
        PID:4864
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
        5⤵
        
        PID:2888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
        5⤵
        
        PID:1380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
        5⤵
        
        PID:3988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
        5⤵
        
        PID:1228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
        5⤵
        
        PID:3296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
        5⤵
        
        PID:1796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
        5⤵
        
        PID:2496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
        5⤵
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
        5⤵
        
        PID:4432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        5⤵
        
        PID:3868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
        5⤵
        
        PID:4684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
        5⤵
        
        PID:3428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
        5⤵
        
        PID:1000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
        5⤵
        
        PID:3268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
        5⤵
        
        PID:5096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
        5⤵
        
        PID:2152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
        5⤵
        
        PID:680
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
        5⤵
        
        PID:2036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
        5⤵
        
        PID:4828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
        5⤵
        
        PID:2468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
        5⤵
        
        PID:4468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
        5⤵
        
        PID:5108
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
        5⤵
        
        PID:4848
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
        5⤵
        
        PID:3468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
        5⤵
        
        PID:1852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
        5⤵
        
        PID:1832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
        5⤵
        
        PID:4476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
        5⤵
        
        PID:4968
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
        5⤵
        
        PID:964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:1064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
        5⤵
        
        PID:2092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
        5⤵
        
        PID:3476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
        5⤵
        
        PID:1704
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
        5⤵
        
        PID:1444
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
        5⤵
        
        PID:2192
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
        5⤵
        
        PID:2952
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
        5⤵
        
        PID:1964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
        5⤵
        
        PID:4148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
        5⤵
        
        PID:4004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
        5⤵
        
        PID:4732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
        5⤵
        
        PID:4972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
        5⤵
        
        PID:208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
        5⤵
        
        PID:2504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        5⤵
        
        PID:4504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
        5⤵
        
        PID:3424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        5⤵
        
        PID:4084
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        5⤵
        
        PID:4396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        5⤵
        
        PID:2428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        5⤵
        
        PID:2224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
        5⤵
        
        PID:4920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        5⤵
        
        PID:780
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
        5⤵
        
        PID:2832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
        5⤵
        
        PID:228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
        5⤵
        
        PID:4452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
        5⤵
        
        PID:1124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
        5⤵
        
        PID:2948
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        5⤵
        
        PID:3448
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
        5⤵
        
        PID:3640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
        5⤵
        
        PID:2996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        5⤵
        
        PID:540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
        5⤵
        
        PID:1164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
        5⤵
        
        PID:2720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
        5⤵
        
        PID:808
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
        5⤵
        
        PID:2196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
        5⤵
        
        PID:2884
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
        5⤵
        
        PID:3028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
        5⤵
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
        5⤵
        
        PID:4560
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
        5⤵
        
        PID:1728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
        5⤵
        
        PID:1784
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        5⤵
        
        PID:3520
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
        5⤵
        
        PID:5060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
        5⤵
        
        PID:1640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
        5⤵
        
        PID:928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
        5⤵
        
        PID:4336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
        5⤵
        
        PID:4008
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
        5⤵
        
        PID:3972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
        5⤵
        
        PID:864
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
        5⤵
        
        PID:3384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
        5⤵
        
        PID:2912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
        5⤵
        
        PID:4256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
        5⤵
        
        PID:1412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
        5⤵
        
        PID:336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
        5⤵
        
        PID:972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
        5⤵
        
        PID:4812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
        5⤵
        
        PID:2336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
        5⤵
        
        PID:4124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
        5⤵
        
        PID:2128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
        5⤵
        
        PID:3584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
        5⤵
        
        PID:3148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
        5⤵
        
        PID:2464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
        5⤵
        
        PID:5072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
        5⤵
        
        PID:3144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
        5⤵
        
        PID:1324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
        5⤵
        
        PID:4564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
        5⤵
        
        PID:1584
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
        5⤵
        
        PID:1408
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
        5⤵
        
        PID:1356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Store/Operational"
        5⤵
        
        PID:3016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
        5⤵
        
        PID:2072
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
        5⤵
        
        PID:2796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
        5⤵
        
        PID:1768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
        5⤵
        
        PID:4576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
        5⤵
        
        PID:1252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
        5⤵
        
        PID:3168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
        5⤵
        
        PID:1696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
        5⤵
        
        PID:1628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
        5⤵
        
        PID:1232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
        5⤵
        
        PID:4720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
        5⤵
        
        PID:2288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
        5⤵
        
        PID:1940
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
        5⤵
        
        PID:3928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
        5⤵
        
        PID:2264
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
        5⤵
        
        PID:3040
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
        5⤵
        
        PID:1464
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
        5⤵
        
        PID:4372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
        5⤵
        
        PID:2536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
        5⤵
        
        PID:4028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
        5⤵
        
        PID:1372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
        5⤵
        
        PID:2964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
        5⤵
        
        PID:2096
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
        5⤵
        
        PID:1600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
        5⤵
        
        PID:4204
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
        5⤵
        
        PID:64
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
        5⤵
        Clears Windows event logs
        
        PID:4984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
        5⤵
        
        PID:4344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
        5⤵
        
        PID:440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
        5⤵
        
        PID:4376
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
        5⤵
        
        PID:2772
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
        5⤵
        
        PID:2024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
        5⤵
        
        PID:3460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
        5⤵
        
        PID:1168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
        5⤵
        
        PID:1080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
        5⤵
        
        PID:1564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
        5⤵
        
        PID:4888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
        5⤵
        
        PID:1352
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
        5⤵
        
        PID:2360
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
        5⤵
        
        PID:5048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
        5⤵
        
        PID:3892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
        5⤵
        
        PID:768
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
        5⤵
        
        PID:2888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
        5⤵
        
        PID:1380
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
        5⤵
        
        PID:3652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
        5⤵
        
        PID:3052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
        5⤵
        
        PID:3988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
        5⤵
        
        PID:3904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
        5⤵
        
        PID:1580
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
        5⤵
        
        PID:3296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
        5⤵
        
        PID:628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
        5⤵
        
        PID:3896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
        5⤵
        
        PID:2604
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
        5⤵
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
        5⤵
        
        PID:1460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
        5⤵
        
        PID:336
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
        5⤵
        
        PID:3224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
        5⤵
        
        PID:288
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
        5⤵
        
        PID:304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
        5⤵
        
        PID:3428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
        5⤵
        
        PID:2004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
        5⤵
        
        PID:2508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
        5⤵
        
        PID:3268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
        5⤵
        
        PID:2332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
        5⤵
        
        PID:3740
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
        5⤵
        
        PID:2752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
        5⤵
        
        PID:2124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
        5⤵
        
        PID:2468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
        5⤵
        
        PID:2176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
        5⤵
        
        PID:1904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
        5⤵
        
        PID:4236
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
        5⤵
        
        PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
        5⤵
        
        PID:3300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
        5⤵
        
        PID:4992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
        5⤵
        
        PID:3396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
        5⤵
        
        PID:4644
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
        5⤵
        
        PID:2296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
        5⤵
        
        PID:3792
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
        5⤵
        
        PID:2412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
        5⤵
        Clears Windows event logs
        
        PID:2276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
        5⤵
        
        PID:3836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
        5⤵
        
        PID:2344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
        5⤵
        
        PID:3716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1246.tmp\1247.tmp\1248.bat

Filesize
24B

MD5
adf8254c3e44ca2685b52366457fc6c9

SHA1
eaeef81e015e18c274ae5debfa7c511b6d871442

SHA256
eb955b96ff2dabe61d2eb8272ba5e0a30b09364a6b15832a80da7daacb8b0c4f

SHA512
2eff22c775d6cdb21ed17ece2468e5f98c9d04e323a7f39f85552629fdd2e4addc728b2866324749f1b6a565b7cf90c98b2b403a8a6af11197270d5e1fad94a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\23B0.tmp\23B1.tmp\23B2.bat

Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit
C:\Users\Admin\AppData\Local\Temp\920E.tmp\921F.tmp\9220.bat

Filesize
39B

MD5
a9832ef693180ebedb5b6ed08f0b3227

SHA1
b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

SHA256
9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

SHA512
fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\B565.tmp\B566.tmp\B567.bat

Filesize
845B

MD5
54d18c0e0a34808017e53029d7875c09

SHA1
bca96014c545bd02f964cc3dd368b5c6ce9f2963

SHA256
6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

SHA512
95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Download Submit
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe

Filesize
43KB

MD5
6fbe881f1d6480e2e15d3ebe0f493d2d

SHA1
f698079150df242e156223f1b3e46f449bc01415

SHA256
49b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c

SHA512
2084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef

Download Submit
C:\Users\Admin\AppData\Roaming\3combined.bat

Filesize
13KB

MD5
790f1b1425f17c7dc0712486361de838

SHA1
d0056beff646d466a34346ef5c889bfec5cf0986

SHA256
7f01e60396f3dd00c16226f74ab87cd0638368b83c455b04d032f4cba436656a

SHA512
12b1faa363910ed861b831ab4209b93491d78e19ca630650425ed28856435119a1220e675e1971f237139c9140fdf6f70cf6a3ba9083bf2674c0f82fb3df3d4a

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe

Filesize
219KB

MD5
9353ed7c3ba8e2417ce2664ae7afac16

SHA1
05699a2a2792795db1d8f59273172ad80bdc8b06

SHA256
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628

SHA512
cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner8.exe

Filesize
156KB

MD5
3546548be0b0940c52ec881d48404818

SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c

SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

Download Submit
C:\Users\Admin\AppData\Roaming\DevManView.cfg

Filesize
1KB

MD5
c397462965258ee0bbe4742f83d7c977

SHA1
7a12c6504184c38b9e8096357f651a04c170b59c

SHA256
59f1e9118a106e15b2c151080e4167c4c1dc5fd33d2443ca160511ac7d9b781e

SHA512
9ccff5046bfc41e50707d36d0a9f0654f6ef86525a26656d6bc9f5759455a2b328525f4b79ed6102d5e3cf3300027264830067c6b22891a92ccfc7fc33bc9ce2

Download Submit
C:\Users\Admin\AppData\Roaming\DevManView.exe

Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe

Filesize
219KB

MD5
303dbf6d5ce6b658919091240d5a4a80

SHA1
d45946e1d3c4d973042e0c1bdd88fbc1774f1385

SHA256
70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

SHA512
666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

Download Submit
C:\Users\Admin\AppData\Roaming\UCORESYS.sys

Filesize
15KB

MD5
9555d36fb21b993e5c4b98c2fc2b3671

SHA1
210a98be7da32cea98618c5a9640c23ce518c0ee

SHA256
fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981

SHA512
3ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60

Download Submit
C:\Users\Admin\AppData\Roaming\UCOREW64.sys

Filesize
14KB

MD5
a17c58c0582ee560c72f60764ed63224

SHA1
bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825

SHA256
a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200

SHA512
a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063

Download Submit
C:\Users\Admin\AppData\Roaming\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe

Filesize
103KB

MD5
59a7ce7a4d30e28e6bc356263693eb98

SHA1
a6ace03c0f719ce2e4f9839d0917778a5e798340

SHA256
baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d

SHA512
8e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\ddc.exe

Filesize
377KB

MD5
97b963fd85ff4cc2a3b0da8164593cfc

SHA1
f29b0ba7cc01182f83845088375c2c18fd49f187

SHA256
af219747072341760396d686f2fe7350ec2dce713f1ec1977c21f8be7b9197d5

SHA512
232bcfb83387ed125f3c3a065031e36e3f7c494118aa2fa33c64fd3d81066531ad9de09c5358f5b0a24024b0a223a2fc4a5646e9b475853904b24729df808fae

Download Submit
C:\Users\Admin\AppData\Roaming\devcon.exe

Filesize
80KB

MD5
d153a0bc6f0476457b56fc38795dea01

SHA1
eb3c25afab996b84c52619c6f676d0663c241e01

SHA256
df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7

SHA512
6322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414

Download Submit
C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe

Filesize
267KB

MD5
565825f715521b9dcccab692f1191414

SHA1
ff3eb2f1fffbd9e82132a893166b05b1db64064d

SHA256
0354388341d5f97f0ab8ed5bbef1d0ff14a233770619dd33b09cfa5f52bffe85

SHA512
888aac72349aa265d397e132e53fffcbb4632c975c8b5bb896d8a4b1ebf4e2d09bdf1b3df12407c273e0e2023bc7950ad5b49ceb27592f9c0c325214af8dd033

Download Submit
C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe

Filesize
88KB

MD5
d144852c9d62d6e8d2e3ed532c853aac

SHA1
ea52d984ff2be5fa377a21b0af425f778e60fa77

SHA256
996d44d2331f60e8c158662200fcd1f5cfc60076503e940ce9db98e0e92adfe6

SHA512
af68d189a4480c5c54e256f6e39ef5fb9e35fa78dee4163d0805a6d406183f50cef725ed7bc677c46f8030523353a16e71aa90a388a1235a2b0dc86352cd9af7

Download Submit
C:\Users\Admin\AppData\Roaming\reset_adapters.exe

Filesize
335KB

MD5
bd624e99155ffa5868f39c73a1513cee

SHA1
0a6c46d21faefaf29c992193e5dac6b4b4a58719

SHA256
4f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8

SHA512
46471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c

Download Submit
C:\Windows\INF\setupapi.dev.log

Filesize
1KB

MD5
83297eda6a83b3500a57a38f270e9084

SHA1
476482a82efc451964646e2c1e5a2b8ecf1e2765

SHA256
f0827c2deb293cd3057f6d0a882c57d35a9bb263e0ec40abdce7392ae4d30ff1

SHA512
fa7c1d9ef2d67979e315ffc5396e373f33d67e46a9451e7aabbfd5dcababc7ab87018bcdee1a78937f2d63488d458658c7d667d6e8ff3141ec24db38a6e037e0

Download Submit
memory/228-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/228-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/228-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1636-91-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1636-92-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-94-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-91-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1636-92-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-94-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-91-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/1636-92-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/1636-94-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656