cerber | hxxps://mega[.]nz/file/cjlTWBRS#whVM_R-M9Xu95DuVzcM4_sBpWDt1u0UxsOuk-L6TkSE

Analysis

max time kernel
246s
max time network
240s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2024 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/cjlTWBRS#whVM_R-M9Xu95DuVzcM4_sBpWDt1u0UxsOuk-L6TkSE

Score

10^/10

cerber discovery evasion exploit ransomware spyware stealer

Malware Config

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Deletes NTFS Change Journal 2 TTPs 3 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485

Processes:

fsutil.exefsutil.exefsutil.exe

pid process

1732 fsutil.exe
428 fsutil.exe
3464 fsutil.exe

pid	process
1732	fsutil.exe
428	fsutil.exe
3464	fsutil.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
4888	wevtutil.exe
4312	wevtutil.exe
4836	wevtutil.exe
1588	wevtutil.exe
5032	wevtutil.exe
2764	wevtutil.exe
5000	wevtutil.exe
5088	wevtutil.exe
3048	wevtutil.exe
1152	wevtutil.exe
2644	wevtutil.exe
744	wevtutil.exe
2224	wevtutil.exe
2260	wevtutil.exe
2244	wevtutil.exe
292	wevtutil.exe
3764
2664	wevtutil.exe
8	wevtutil.exe
3064
4596
796	wevtutil.exe
3724	wevtutil.exe
4744	wevtutil.exe
3908	wevtutil.exe
4916	wevtutil.exe
1136	wevtutil.exe
2124	wevtutil.exe
2364	wevtutil.exe
1416
5112	wevtutil.exe
3332	wevtutil.exe
4892
3064	wevtutil.exe
2256	wevtutil.exe
1208	wevtutil.exe
4128	wevtutil.exe
3972
1028
3240	wevtutil.exe
4752	wevtutil.exe
3104	wevtutil.exe
2368	wevtutil.exe
4904
4276	wevtutil.exe
4128	wevtutil.exe
3764	wevtutil.exe
2416
3304	wevtutil.exe
5112	wevtutil.exe
4012
2248	wevtutil.exe
1620	wevtutil.exe
4700
4012
3240	wevtutil.exe
5052	wevtutil.exe
1028
4600
292	wevtutil.exe
1396	wevtutil.exe
3488	wevtutil.exe
2664	wevtutil.exe
2052	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops file in Drivers directory 8 IoCs

Processes:

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys

Possible privilege escalation attempt 3 IoCs
exploit

Processes:

takeown.exeicacls.exeicacls.exe

pid process

1212 takeown.exe
2680 icacls.exe
4852 icacls.exe

pid	process
1212	takeown.exe
2680	icacls.exe
4852	icacls.exe

Drops startup file 1 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Cleaner8.exe

Executes dropped EXE 26 IoCs

Processes:

spoofer.exeWinActivation.exeFIXusrTEMPv6.execleanerOLD1.exeCleaner8.exeAdvancedEventCleaner.exe

pid	process
1520	spoofer.exe
620	WinActivation.exe
5052	FIXusrTEMPv6.exe
4376	cleanerOLD1.exe
5024	Cleaner8.exe
3816	AdvancedEventCleaner.exe
1208
4640
4044
2472
364
1104
4900
2248
3880
2368
3320
5000
4128
1896
2168
1960
4696
308
3412
4032

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exetakeown.exe

pid process

2680 icacls.exe
4852 icacls.exe
1212 takeown.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2680	icacls.exe
4852	icacls.exe
1212	takeown.exe

Drops desktop.ini file(s) 60 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

fsutil.exefsutil.exe

description ioc process

File opened (read-only) \??\D: fsutil.exe
File opened (read-only) \??\E: fsutil.exe

description	ioc	process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe

Drops file in System32 directory 9 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\repository
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	Cleaner8.exe
File opened for modification	C:\Windows\System32\spp\store	Cleaner8.exe
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP

Drops file in Windows directory 64 IoCs

Processes:

Cleaner8.exe

description	ioc	process
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FDF50724.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-5B70F332.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATESETUP_X86_-238E41AD.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4EFE6110.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-D9106866.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-4DC9A20E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf	Cleaner8.exe
File opened for modification	C:\Windows\INF\setupapi.setup.log	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-A73FB9CB.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-BC366267.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-504C779A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DISM.EXE-DE199F71.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-2C52326A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVE.EXE-96969DDA.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-23EA2E5B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7E8D1C35.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-99F89D15.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	Cleaner8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeCleaner8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "b8790f09-b8dd54b9-0"	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner8.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

pid process

3712
2052
4368
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1480 vssadmin.exe
Kills process with taskkill 3 IoCs
evasion

Processes:

pid process

984
956
4536

pid	process
3712
2052
4368

pid	process
1480	vssadmin.exe

pid	process
984
956
4536

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

Cleaner8.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = 65505c002b18f1b4	Cleaner8.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133564064490868434"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

2164 NOTEPAD.EXE
3204 NOTEPAD.EXE
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\Local Settings	chrome.exe

pid	process
2164	NOTEPAD.EXE
3204	NOTEPAD.EXE

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
4844
1944
4024
2268	PING.EXE
1480
3084
288
3556
1296
3468	PING.EXE
324
4980
3924
4836
3824
1028
4660	PING.EXE
5024
4632
744
3488	PING.EXE
4600
3432
3704	PING.EXE
4024	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execleanerOLD1.exeCleaner8.exe

pid	process
2516	chrome.exe
2516	chrome.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
8	powershell.exe
8	powershell.exe
8	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
3784	powershell.exe
3784	powershell.exe
3784	powershell.exe
3048	powershell.exe
3048	powershell.exe
4376	cleanerOLD1.exe
4376	cleanerOLD1.exe
5024	Cleaner8.exe
5024	Cleaner8.exe
1208
1208
4032
4032

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

624 7zFM.exe
Suspicious behavior: LoadsDriver 21 IoCs

Processes:

pid process

656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2516 chrome.exe
2516 chrome.exe

pid	process
624	7zFM.exe

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE7zFM.exetakeown.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execleanerOLD1.exeCleaner8.exevssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: 33	4500	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4500	AUDIODG.EXE
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeRestorePrivilege	624	7zFM.exe
Token: 35	624	7zFM.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeShutdownPrivilege	2516	chrome.exe
Token: SeCreatePagefilePrivilege	2516	chrome.exe
Token: SeSecurityPrivilege	624	7zFM.exe
Token: SeTakeOwnershipPrivilege	1212	takeown.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	4436	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeBackupPrivilege	3064	powershell.exe
Token: SeBackupPrivilege	3064	powershell.exe
Token: SeRestorePrivilege	3064	powershell.exe
Token: SeSecurityPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	3784	powershell.exe
Token: SeBackupPrivilege	3784	powershell.exe
Token: SeBackupPrivilege	3784	powershell.exe
Token: SeRestorePrivilege	3784	powershell.exe
Token: SeSecurityPrivilege	3784	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	4376	cleanerOLD1.exe
Token: SeTakeOwnershipPrivilege	5024	Cleaner8.exe
Token: SeBackupPrivilege	3876	vssvc.exe
Token: SeRestorePrivilege	3876	vssvc.exe
Token: SeAuditPrivilege	3876	vssvc.exe
Token: SeSecurityPrivilege	1020	wevtutil.exe
Token: SeBackupPrivilege	1020	wevtutil.exe
Token: SeSecurityPrivilege	4024	wevtutil.exe
Token: SeBackupPrivilege	4024	wevtutil.exe
Token: SeSecurityPrivilege	4556	wevtutil.exe
Token: SeBackupPrivilege	4556	wevtutil.exe
Token: SeSecurityPrivilege	1044	wevtutil.exe
Token: SeBackupPrivilege	1044	wevtutil.exe
Token: SeSecurityPrivilege	452	wevtutil.exe
Token: SeBackupPrivilege	452	wevtutil.exe
Token: SeSecurityPrivilege	4384	wevtutil.exe
Token: SeBackupPrivilege	4384	wevtutil.exe
Token: SeSecurityPrivilege	3320	wevtutil.exe
Token: SeBackupPrivilege	3320	wevtutil.exe
Token: SeSecurityPrivilege	116	wevtutil.exe
Token: SeBackupPrivilege	116	wevtutil.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe7zFM.exeNOTEPAD.EXE

pid	process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
624	7zFM.exe
2516	chrome.exe
624	7zFM.exe
2164	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe
2516	chrome.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

spoofer.exeFIXusrTEMPv6.exeCleaner8.exeAdvancedEventCleaner.exe

pid	process
1520	spoofer.exe
5052	FIXusrTEMPv6.exe
5024	Cleaner8.exe
3816	AdvancedEventCleaner.exe
1208
4044
2472
364
1104
4900
2248
3880
2368
3320
5000
4128
1896
2168
1960
4696
308
3412
4032

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2516 wrote to memory of 2236	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2236	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 2024	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 5000	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 5000	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe
PID 2516 wrote to memory of 3224	2516	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/cjlTWBRS#whVM_R-M9Xu95DuVzcM4_sBpWDt1u0UxsOuk-L6TkSE
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffe96389758,0x7ffe96389768,0x7ffe96389778
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:2
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:8
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2072 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:8
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2988 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:8
  2⤵
  PID:1788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=1864,i,5989431304883493642,15880995024275704977,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\spoofer_4u4play_password.tar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:624

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4540

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x47c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Users\Admin\Desktop\spoofer.exe
"C:\Users\Admin\Desktop\spoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1520
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F230.tmp\F231.tmp\F232.bat C:\Users\Admin\Desktop\spoofer.exe"
  2⤵
  PID:1744
- - C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
    "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5052
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75F1.tmp\75F2.tmp\75F3.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
      4⤵
      PID:1416
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        Runs ping.exe
        
        PID:3488
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        Runs ping.exe
        
        PID:2268
    - - C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        5⤵
        Runs ping.exe
        
        PID:4024
    - - C:\Windows\system32\PING.EXE
        
        ping /n 2 localhost
        5⤵
        Runs ping.exe
        
        PID:3468
- - C:\Windows\system32\PING.EXE
    PING localhost -n 3
    3⤵
    - Runs ping.exe
    PID:3704
- - C:\Windows\system32\PING.EXE
    PING localhost -n 4
    3⤵
    - Runs ping.exe
    PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""
    3⤵
    PID:4888
  - - C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
      "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo Y "
    3⤵
    PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""
    3⤵
    PID:3092
  - - C:\Users\Admin\AppData\Roaming\Cleaner8.exe
      "C:\Users\Admin\AppData\Roaming\Cleaner8.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in System32 directory
      Drops file in Windows directory
      Enumerates system info in registry
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5024
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
        5⤵
        
        PID:4180
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d C:
        6⤵
        Deletes NTFS Change Journal
        
        PID:1732
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
        5⤵
        
        PID:4524
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d D:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
        5⤵
        
        PID:4332
      - C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d E:
        6⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:3464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        5⤵
        
        PID:4544
      - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /All /Quiet
        6⤵
        Interacts with shadow copies
        
        PID:1480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        5⤵
        
        PID:1564
      - C:\Windows\system32\net.exe
        
        net stop winmgmt /Y
        6⤵
        
        PID:4596
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        7⤵
        
        PID:3108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        5⤵
        
        PID:60
- - C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
    "C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3816
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D279.tmp\D27A.tmp\D27B.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
      4⤵
      PID:3872
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        5⤵
        
        PID:824
      - C:\Windows\system32\bcdedit.exe
        
        bcdedit
        6⤵
        
        PID:3488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        5⤵
        
        PID:1032
      - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AMSI/Debug"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AirSpaceChannel"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "FirstUXPerf-Analytic"
        5⤵
        
        PID:2436
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        5⤵
        Clears Windows event logs
        
        PID:744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "General Logging"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        5⤵
        
        PID:5080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "IHM_DebugChannel"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        5⤵
        
        PID:4980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        5⤵
        
        PID:4068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        5⤵
        
        PID:5048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationFrameServer"
        5⤵
        
        PID:4000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProc"
        5⤵
        
        PID:2164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProcD3D"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationAsyncWrapper"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationContentProtection"
        5⤵
        
        PID:984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDS"
        5⤵
        
        PID:856
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMP4"
        5⤵
        Clears Windows event logs
        
        PID:3240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMediaEngine"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformanceCore"
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationSrcPrefetch"
        5⤵
        
        PID:4656
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
        5⤵
        
        PID:3712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Admin"
        5⤵
        
        PID:4216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Debug"
        5⤵
        
        PID:4640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Operational"
        5⤵
        
        PID:4368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
        5⤵
        
        PID:164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
        5⤵
        
        PID:2564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
        5⤵
        
        PID:292
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
        5⤵
        
        PID:1480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        5⤵
        
        PID:4544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        5⤵
        
        PID:3012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
        5⤵
        
        PID:2428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
        5⤵
        
        PID:2348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
        5⤵
        
        PID:2676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        5⤵
        
        PID:4312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        5⤵
        
        PID:1296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
        5⤵
        
        PID:3972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
        5⤵
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        5⤵
        
        PID:4004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        5⤵
        
        PID:2132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
        5⤵
        
        PID:3588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:2224
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        5⤵
        
        PID:2344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        5⤵
        
        PID:3880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        5⤵
        Clears Windows event logs
        
        PID:2248
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
        5⤵
        
        PID:536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
        5⤵
        
        PID:4824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
        5⤵
        
        PID:232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
        5⤵
        
        PID:2576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
        5⤵
        
        PID:2436
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
        5⤵
        Clears Windows event logs
        
        PID:4276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppSruProv"
        5⤵
        
        PID:4636
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
        5⤵
        
        PID:4568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
        5⤵
        
        PID:4836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
        5⤵
        
        PID:4068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        5⤵
        
        PID:5048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
        5⤵
        
        PID:3432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        5⤵
        
        PID:2868
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        5⤵
        
        PID:4000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        5⤵
        
        PID:2164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        5⤵
        
        PID:4440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        5⤵
        Clears Windows event logs
        
        PID:4888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        5⤵
        Clears Windows event logs
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
        5⤵
        
        PID:4984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
        5⤵
        
        PID:4880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
        5⤵
        
        PID:3744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
        5⤵
        
        PID:3960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
        5⤵
        Clears Windows event logs
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
        5⤵
        
        PID:4168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
        5⤵
        
        PID:4208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
        5⤵
        
        PID:4368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        5⤵
        
        PID:1340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
        5⤵
        Clears Windows event logs
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        5⤵
        
        PID:1148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        5⤵
        
        PID:2564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
        5⤵
        
        PID:1088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
        5⤵
        
        PID:1396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        5⤵
        
        PID:3104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
        5⤵
        
        PID:3556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
        5⤵
        
        PID:64
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
        5⤵
        
        PID:1928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
        5⤵
        
        PID:2616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
        5⤵
        
        PID:3700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
        5⤵
        
        PID:4624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        5⤵
        
        PID:1524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        5⤵
        
        PID:1564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
        5⤵
        
        PID:4420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
        5⤵
        
        PID:4648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        5⤵
        
        PID:2708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
        5⤵
        
        PID:220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        5⤵
        
        PID:4024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        5⤵
        
        PID:2180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
        5⤵
        
        PID:5052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
        5⤵
        
        PID:1152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        5⤵
        
        PID:1160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        5⤵
        
        PID:3620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Call"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
        5⤵
        
        PID:928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
        5⤵
        
        PID:2364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
        5⤵
        
        PID:4956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        5⤵
        
        PID:2900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
        5⤵
        
        PID:1604
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        5⤵
        
        PID:3756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
        5⤵
        
        PID:4744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
        5⤵
        
        PID:4716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        5⤵
        
        PID:856
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        5⤵
        
        PID:3240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        5⤵
        
        PID:1276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        5⤵
        Clears Windows event logs
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
        5⤵
        
        PID:1728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
        5⤵
        
        PID:2144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
        5⤵
        
        PID:3616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
        5⤵
        
        PID:2800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
        5⤵
        
        PID:1144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
        5⤵
        
        PID:4044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
        5⤵
        
        PID:2228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
        5⤵
        
        PID:2340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
        5⤵
        Clears Windows event logs
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        5⤵
        Clears Windows event logs
        
        PID:292
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
        5⤵
        
        PID:1480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
        5⤵
        
        PID:1320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
        5⤵
        
        PID:3012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
        5⤵
        
        PID:3404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
        5⤵
        
        PID:2676
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
        5⤵
        
        PID:2644
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:4312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        5⤵
        
        PID:4460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        5⤵
        
        PID:2956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3064
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        5⤵
        
        PID:4844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
        5⤵
        
        PID:60
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        5⤵
        
        PID:2232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
        5⤵
        
        PID:1140
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
        5⤵
        
        PID:2360
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
        5⤵
        Clears Windows event logs
        
        PID:5088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:2124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        5⤵
        
        PID:3908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
        5⤵
        
        PID:1416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        5⤵
        
        PID:4976
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        5⤵
        
        PID:232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        5⤵
        
        PID:116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
        5⤵
        
        PID:404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
        5⤵
        
        PID:744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
        5⤵
        Clears Windows event logs
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
        5⤵
        
        PID:4568
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
        5⤵
        
        PID:1896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
        5⤵
        
        PID:1028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
        5⤵
        
        PID:4628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
        5⤵
        
        PID:2900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
        5⤵
        Clears Windows event logs
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
        5⤵
        
        PID:3824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        5⤵
        
        PID:2148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
        5⤵
        
        PID:4960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        5⤵
        
        PID:4440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
        5⤵
        
        PID:4244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        5⤵
        
        PID:2460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        5⤵
        
        PID:1728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
        5⤵
        
        PID:3712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        5⤵
        
        PID:4216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        5⤵
        
        PID:3276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        5⤵
        
        PID:4640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        5⤵
        
        PID:164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        5⤵
        
        PID:296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        5⤵
        
        PID:3724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        5⤵
        
        PID:2664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        5⤵
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        5⤵
        
        PID:4544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        5⤵
        
        PID:2472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        5⤵
        
        PID:3412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        5⤵
        
        PID:1800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        5⤵
        
        PID:4612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        5⤵
        
        PID:4844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
        5⤵
        
        PID:60
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
        5⤵
        
        PID:2232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
        5⤵
        
        PID:732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        5⤵
        
        PID:180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
        5⤵
        
        PID:2896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
        5⤵
        
        PID:1152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
        5⤵
        
        PID:2512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
        5⤵
        
        PID:4876
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
        5⤵
        
        PID:2696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        5⤵
        
        PID:2900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        5⤵
        
        PID:3824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
        5⤵
        
        PID:3572
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
        5⤵
        
        PID:984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        5⤵
        
        PID:364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        5⤵
        
        PID:1208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        5⤵
        
        PID:4880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
        5⤵
        
        PID:4656
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
        5⤵
        
        PID:4540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        5⤵
        
        PID:4208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
        5⤵
        
        PID:4368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
        5⤵
        
        PID:1340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
        5⤵
        
        PID:3720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        5⤵
        
        PID:1148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        5⤵
        
        PID:2564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        5⤵
        
        PID:1088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:1396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
        5⤵
        
        PID:3104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
        5⤵
        
        PID:3556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
        5⤵
        
        PID:2348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
        5⤵
        
        PID:1928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
        5⤵
        
        PID:2616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
        5⤵
        
        PID:2416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
        5⤵
        
        PID:3700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
        5⤵
        
        PID:4624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
        5⤵
        
        PID:4596
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
        5⤵
        
        PID:3244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
        5⤵
        
        PID:3084
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
        5⤵
        
        PID:2992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        5⤵
        
        PID:3588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        5⤵
        
        PID:2708
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        5⤵
        
        PID:220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
        5⤵
        
        PID:2344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        5⤵
        
        PID:2248
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        5⤵
        
        PID:4024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        5⤵
        
        PID:1044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        5⤵
        Clears Windows event logs
        
        PID:5052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        5⤵
        
        PID:2576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        5⤵
        
        PID:1160
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
        5⤵
        
        PID:3620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
        5⤵
        
        PID:4980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
        5⤵
        
        PID:2364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        5⤵
        
        PID:4956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
        5⤵
        
        PID:1588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
        5⤵
        
        PID:3432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
        5⤵
        
        PID:4176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
        5⤵
        
        PID:2256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
        5⤵
        Clears Windows event logs
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
        5⤵
        
        PID:1960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
        5⤵
        
        PID:2164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        5⤵
        
        PID:2148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
        5⤵
        
        PID:4888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
        5⤵
        Clears Windows event logs
        
        PID:3240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
        5⤵
        
        PID:4244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
        5⤵
        
        PID:2460
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
        5⤵
        
        PID:1728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
        5⤵
        
        PID:3712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
        5⤵
        
        PID:2800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
        5⤵
        
        PID:1144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
        5⤵
        
        PID:4640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
        5⤵
        
        PID:1732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
        5⤵
        
        PID:164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
        5⤵
        
        PID:296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
        5⤵
        Clears Windows event logs
        
        PID:3724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        5⤵
        
        PID:4544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        5⤵
        
        PID:2472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        5⤵
        
        PID:2648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
        5⤵
        
        PID:3412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        5⤵
        
        PID:2296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
        5⤵
        
        PID:3504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
        5⤵
        
        PID:1800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
        5⤵
        
        PID:4612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        5⤵
        
        PID:4844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        5⤵
        
        PID:60
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
        5⤵
        
        PID:732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
        5⤵
        
        PID:180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
        5⤵
        
        PID:2896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
        5⤵
        Clears Windows event logs
        
        PID:1152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        5⤵
        
        PID:4660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        5⤵
        
        PID:4836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
        5⤵
        
        PID:2512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
        5⤵
        
        PID:4876
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
        5⤵
        
        PID:1896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:2256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
        5⤵
        
        PID:1960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
        5⤵
        
        PID:2148
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
        5⤵
        
        PID:856
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
        5⤵
        
        PID:3632
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
        5⤵
        
        PID:4100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        5⤵
        
        PID:2832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
        5⤵
        
        PID:3960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
        5⤵
        
        PID:4168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
        5⤵
        
        PID:1452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
        5⤵
        
        PID:4044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
        5⤵
        
        PID:1672
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
        5⤵
        
        PID:4332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
        5⤵
        
        PID:2228
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
        5⤵
        
        PID:304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
        5⤵
        
        PID:4712
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
        5⤵
        
        PID:1468
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:292
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
        5⤵
        
        PID:308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
        5⤵
        
        PID:2332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
        5⤵
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
        5⤵
        
        PID:1320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
        5⤵
        
        PID:3012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
        5⤵
        
        PID:2648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        5⤵
        
        PID:3412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        5⤵
        
        PID:3504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        5⤵
        
        PID:1800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        5⤵
        
        PID:4612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
        5⤵
        
        PID:4844
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
        5⤵
        
        PID:2984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
        5⤵
        
        PID:3092
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
        5⤵
        
        PID:732
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
        5⤵
        
        PID:3488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
        5⤵
        
        PID:2248
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        5⤵
        
        PID:180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
        5⤵
        
        PID:2896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
        5⤵
        
        PID:1152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
        5⤵
        
        PID:4660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
        5⤵
        
        PID:4996
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
        5⤵
        
        PID:4956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
        5⤵
        
        PID:4836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:1588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        5⤵
        
        PID:4876
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
        5⤵
        
        PID:2256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
        5⤵
        
        PID:3756
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:4744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
        5⤵
        
        PID:4716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
        5⤵
        
        PID:1608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
        5⤵
        
        PID:4440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
        5⤵
        Clears Windows event logs
        
        PID:1208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
        5⤵
        
        PID:1276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
        5⤵
        
        PID:4656
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
        5⤵
        
        PID:2144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
        5⤵
        
        PID:4540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
        5⤵
        
        PID:4208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
        5⤵
        
        PID:2800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
        5⤵
        
        PID:1340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
        5⤵
        
        PID:4640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
        5⤵
        
        PID:164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
        5⤵
        
        PID:4332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
        5⤵
        Clears Windows event logs
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
        5⤵
        Clears Windows event logs
        
        PID:2664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
        5⤵
        
        PID:3724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
        5⤵
        
        PID:4700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
        5⤵
        
        PID:3104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
        5⤵
        
        PID:1944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
        5⤵
        
        PID:4544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
        5⤵
        
        PID:2348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
        5⤵
        
        PID:2472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
        5⤵
        
        PID:3284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
        5⤵
        
        PID:2616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
        5⤵
        
        PID:1296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
        5⤵
        
        PID:3700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
        5⤵
        
        PID:2956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
        5⤵
        
        PID:4816
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
        5⤵
        
        PID:4596
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
        5⤵
        
        PID:3244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
        5⤵
        
        PID:2992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
        5⤵
        
        PID:3588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
        5⤵
        
        PID:5024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        5⤵
        
        PID:220
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        5⤵
        
        PID:824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
        5⤵
        
        PID:2344
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
        5⤵
        
        PID:3880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
        5⤵
        
        PID:2248
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        5⤵
        
        PID:4024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
        5⤵
        
        PID:1044
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
        5⤵
        
        PID:5052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
        5⤵
        
        PID:4988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
        5⤵
        
        PID:4012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
        5⤵
        
        PID:2436
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
        5⤵
        
        PID:1152
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        5⤵
        
        PID:3608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
        5⤵
        
        PID:3964
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
        5⤵
        
        PID:5004
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
        5⤵
        
        PID:2364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
        5⤵
        
        PID:5048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
        5⤵
        
        PID:1536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
        5⤵
        
        PID:3432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
        5⤵
        
        PID:4176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
        5⤵
        
        PID:2256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
        5⤵
        
        PID:2404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
        5⤵
        
        PID:3612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
        5⤵
        
        PID:432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
        5⤵
        
        PID:4716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
        5⤵
        
        PID:1608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
        5⤵
        
        PID:4440
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
        5⤵
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
        5⤵
        
        PID:3744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
        5⤵
        
        PID:1208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
        5⤵
        
        PID:4696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
        5⤵
        
        PID:4656
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
        5⤵
        
        PID:4216
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
        5⤵
        
        PID:2144
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
        5⤵
        
        PID:2920
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
        5⤵
        
        PID:4208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
        5⤵
        
        PID:1340
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
        5⤵
        
        PID:4640
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
        5⤵
        
        PID:164
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
        5⤵
        
        PID:4528
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
        5⤵
        
        PID:4332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
        5⤵
        
        PID:5112
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
        5⤵
        Clears Windows event logs
        
        PID:2664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        5⤵
        
        PID:3724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
        5⤵
        
        PID:4700
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        5⤵
        Clears Windows event logs
        
        PID:3104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
        5⤵
        
        PID:2300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
        5⤵
        
        PID:2324
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
        5⤵
        
        PID:2872
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
        5⤵
        
        PID:4820
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
        5⤵
        
        PID:2416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
        5⤵
        
        PID:3496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        5⤵
        
        PID:4624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        5⤵
        
        PID:4600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
        5⤵
        
        PID:364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
        5⤵
        
        PID:1668
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
        5⤵
        
        PID:4596
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
        5⤵
        
        PID:3244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
        5⤵
        
        PID:2232
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
        5⤵
        
        PID:1684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
        5⤵
        
        PID:4752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
        5⤵
        
        PID:3588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
        5⤵
        
        PID:5088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
        5⤵
        
        PID:2268
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
        5⤵
        
        PID:696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:3908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
        5⤵
        
        PID:2488
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
        5⤵
        
        PID:4824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
        5⤵
        
        PID:116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
        5⤵
        
        PID:4276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
        5⤵
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
        5⤵
        
        PID:796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
        5⤵
        
        PID:744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
        5⤵
        Clears Windows event logs
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
        5⤵
        
        PID:928
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
        5⤵
        
        PID:3024
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
        5⤵
        
        PID:3752
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
        5⤵
        
        PID:208
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
        5⤵
        
        PID:4836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
        5⤵
        
        PID:3432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
        5⤵
        
        PID:628
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
        5⤵
        
        PID:2696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
        5⤵
        
        PID:2168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
        5⤵
        
        PID:1960
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
        5⤵
        
        PID:1512
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
        5⤵
        
        PID:3480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        5⤵
        
        PID:4744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
        5⤵
        
        PID:4916
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
        5⤵
        
        PID:4880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
        5⤵
        
        PID:956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
        5⤵
        
        PID:2600
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
        5⤵
        
        PID:4168
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
        5⤵
        
        PID:4368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
        5⤵
        
        PID:1452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
        5⤵
        
        PID:3420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
        5⤵
        
        PID:5036
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
        5⤵
        
        PID:280
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
        5⤵
        
        PID:276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
        5⤵
        
        PID:3924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
        5⤵
        
        PID:2556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
        5⤵
        
        PID:1396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
        5⤵
        
        PID:2356
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
        5⤵
        
        PID:1480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
        5⤵
        
        PID:2428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
        5⤵
        
        PID:3304
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
        5⤵
        
        PID:4544
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
        5⤵
        
        PID:2348
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
        5⤵
        
        PID:2472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
        5⤵
        
        PID:2828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
        5⤵
        
        PID:3412
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
        5⤵
        
        PID:3504
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
        5⤵
        
        PID:3972
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
        5⤵
        
        PID:1800
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
        5⤵
        
        PID:4612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
        5⤵
        
        PID:3736
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
        5⤵
        
        PID:1104
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
        5⤵
        
        PID:2172
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
        5⤵
        
        PID:2992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
        5⤵
        
        PID:4120
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        5⤵
        
        PID:3588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        5⤵
        
        PID:5088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        5⤵
        
        PID:3196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
        5⤵
        
        PID:2124
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        5⤵
        
        PID:5100
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
        5⤵
        
        PID:1020
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        5⤵
        
        PID:3908
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
        5⤵
        
        PID:2180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
        5⤵
        
        PID:180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
        5⤵
        
        PID:5052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
        5⤵
        
        PID:4556
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
        5⤵
        
        PID:2576
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        5⤵
        
        PID:404
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
        5⤵
        
        PID:2896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
        5⤵
        
        PID:4660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
        5⤵
        
        PID:4832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
        5⤵
        
        PID:4956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
        5⤵
        
        PID:1896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
        5⤵
        Clears Windows event logs
        
        PID:5032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
        5⤵
        
        PID:2392
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
        5⤵
        
        PID:3140
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
        5⤵
        
        PID:4728
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
        5⤵
        
        PID:1984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
        5⤵
        
        PID:548
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
        5⤵
        
        PID:2256
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
        5⤵
        
        PID:3048
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
        5⤵
        
        PID:1620
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        5⤵
        
        PID:684
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
        5⤵
        
        PID:3612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
        5⤵
        
        PID:4376
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
        5⤵
        
        PID:4888
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
        5⤵
        
        PID:4716
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
        5⤵
        
        PID:4984
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:2764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
        5⤵
        
        PID:1612
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
        5⤵
        
        PID:2260
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
        5⤵
        
        PID:3692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
        5⤵
        
        PID:3616
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
        5⤵
        
        PID:4536
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
        5⤵
        
        PID:3276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
        5⤵
        
        PID:3720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
        5⤵
        
        PID:428
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
        5⤵
        
        PID:2564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
        5⤵
        
        PID:2420
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
        5⤵
        
        PID:3924
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
        5⤵
        
        PID:296
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
        5⤵
        
        PID:284
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
        5⤵
        Clears Windows event logs
        
        PID:8
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
        5⤵
        
        PID:1828
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
        5⤵
        
        PID:2660
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
        5⤵
        
        PID:1320
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
        5⤵
        
        PID:3012
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
        5⤵
        
        PID:2472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
        5⤵
        Clears Windows event logs
        
        PID:2644
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
        5⤵
        
        PID:2416
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
        5⤵
        
        PID:3496
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
        5⤵
        
        PID:4624
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
        5⤵
        
        PID:3508
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
        5⤵
        
        PID:4032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
        5⤵
        
        PID:4400
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
        5⤵
        
        PID:2132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
        5⤵
        
        PID:4852
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Store/Operational"
        5⤵
        
        PID:4652
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
        5⤵
        
        PID:3084
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
        5⤵
        
        PID:4184
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
        5⤵
        
        PID:4648
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
        5⤵
        
        PID:4900
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
        5⤵
        
        PID:4472
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
        5⤵
        
        PID:5088
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
        5⤵
        
        PID:1764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
        5⤵
        
        PID:1032
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
        5⤵
        
        PID:2396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
        5⤵
        
        PID:4132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
        5⤵
        
        PID:696
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
        5⤵
        
        PID:2180
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:2368
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
        5⤵
        
        PID:4824
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
        5⤵
        
        PID:4892
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
        5⤵
        
        PID:452
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
        5⤵
        
        PID:116
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
        5⤵
        
        PID:4276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
        5⤵
        Clears Windows event logs
        
        PID:5000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
        5⤵
        
        PID:796
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
        5⤵
        
        PID:4980
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
        5⤵
        
        PID:4128
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
        5⤵
        
        PID:2836
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
        5⤵
        
        PID:1692
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
        5⤵
        Clears Windows event logs
        
        PID:2364
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
        5⤵
        
        PID:1896
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
        5⤵
        
        PID:2016
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
        5⤵
        
        PID:2312
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
        5⤵
        
        PID:4176
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
        5⤵
        
        PID:3432
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
        5⤵
        
        PID:2388
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
        5⤵
        
        PID:4000
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
        5⤵
        
        PID:2480
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
        5⤵
        
        PID:396
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
        5⤵
        
        PID:2028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
        5⤵
        
        PID:2068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
        5⤵
        
        PID:4060
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
        5⤵
        
        PID:5056
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
        5⤵
        
        PID:1608
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
        5⤵
        
        PID:4664
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
        5⤵
        
        PID:3744
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
        5⤵
        
        PID:2832
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
        5⤵
        
        PID:4880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
        5⤵
        
        PID:956
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
        5⤵
        
        PID:2052
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
        5⤵
        
        PID:3276
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
        5⤵
        
        PID:4196
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
        5⤵
        
        PID:3720
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
        5⤵
        
        PID:3764
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
        5⤵
        
        PID:2904
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
        5⤵
        
        PID:2564
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
        5⤵
        
        PID:3776
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
        5⤵
        
        PID:4080
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
        5⤵
        
        PID:2244
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
        5⤵
        
        PID:300
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
        5⤵
        
        PID:3924

C:\Users\Admin\Desktop\WinActivation.exe
"C:\Users\Admin\Desktop\WinActivation.exe"
1⤵
- Executes dropped EXE
PID:620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c title Windows Activation Fix
  2⤵
  PID:3332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c color 0b
  2⤵
  PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo This tool will fix your Windows Activation
  2⤵
  PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Made by skidaim#0607
  2⤵
  PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:2348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo.
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Starting...
  2⤵
  PID:2484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\permissions.bat
  2⤵
  PID:4528
- - C:\Windows\system32\takeown.exe
    takeown /F C:\Windows\System32\sppsvc.exe
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32 /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2680
- - C:\Windows\system32\icacls.exe
    icacls C:\Windows\System32\spp /grant administrators:F /T
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo Applying permissions...
  2⤵
  PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
  2⤵
  PID:4980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -AclObject $acl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
  2⤵
  PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP' -AclObject $acl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
  2⤵
  PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SPPSVC' -AclObject $acl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
  2⤵
  PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'HKLM:\SYSTEM\WPA'; $rule = New-Object System.Security.AccessControl.RegistryAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'HKLM:\SYSTEM\WPA' -AclObject $acl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32' -AclObject $acl
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32' -AclObject $acl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell.exe -c $acl = Get-Acl '%windir%\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path '%windir%\System32\spp' -AclObject $acl
  2⤵
  PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -c $acl = Get-Acl 'C:\Windows\System32\spp'; $rule = New-Object System.Security.AccessControl.FileSystemAccessRule ('NT Service\sppsvc','FullControl','ContainerInherit, ObjectInherit','None','Allow'); $acl.SetAccessRule($rule); Set-Acl -Path 'C:\Windows\System32\spp' -AclObject $acl
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c %windir%\IME\reset.bat
  2⤵
  PID:4908
- - C:\Windows\system32\net.exe
    net stop sppsvc
    3⤵
    PID:2340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop sppsvc
      4⤵
      PID:4468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2252

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\F232.bat
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\F232.bat" "
1⤵
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\F232.bat" "
1⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\F232.bat" "
1⤵
PID:1104

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\F232.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\Pester.bat" "
1⤵
PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -NonInteractive -NoProfile -ExecutionPolicy Bypass -Command "& Import-Module 'C:\Windows\WinSxS\wow64_microsoft.powershell.pester_31bf3856ad364e35_10.0.19041.1_none_9478227a478f23d5\..\Pester.psm1'; & { Invoke-Pester -EnableExit }"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbfuwy3t\mbfuwy3t.cmdline"
    3⤵
    PID:4860
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5644.tmp" "c:\Users\Admin\AppData\Local\Temp\mbfuwy3t\CSC569560FC2810416B9EAEB6B94094892E.TMP"
      4⤵
      PID:1464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
4dde494bc96180506154a103fbf0c01c

SHA1
0315ae6f52bf078927451ea03eed05799c6349e1

SHA256
69f7b2a69e892ec3b6743ba9bd6e9f8761ed8ad5531ca0c1cd616bda6b114d85

SHA512
d50b66eb72c695db9880879960d374a39083dd9e57edfbdd1e82c150b435607acaa38f304661172d89c3e3055fa23dfe8301000c194977ea013e7a0e7787867b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c92ab72ba5a139325e6a65acb96666f2

SHA1
f10a717abc20f4190df684f50c47f8e986f6853f

SHA256
9086283ba95f87618f36637aac70047464b6a1ef6369716eb18595d8ae6c2b3d

SHA512
48af440c6a23b95b9e80b561423079ceec74cc9c57cdf14e687e92267c03b979b28cc35f12bf253f398b49009d92d3ccab41ffe0225523af44c87b985e6ceec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
a23b86a91a00e35d9e42bf95c36376a4

SHA1
fe08cfba153f87730f0cc376fc0240066e8e074c

SHA256
1fc2e5d3aeecde6e96521c980b02d1bd6fbf03a2c0865d52497563697b1122db

SHA512
a97b147230e92908d44b7bafcd796a0b08363b63bef634c16a00bbe11923261e0272cf82ee65b185f88cfc932d848006368c2939bc6e84f2e58cdd05e71cec8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
98e62cc8e31522208d082194c6f3125e

SHA1
8c08fd47667c39d991d963f7edb5a2b5ce3b94c1

SHA256
fc3b4857d4868d06d68e0bd5c4de8574bf09729b94a2e82499f15a91ff3a8e34

SHA512
3724f8ce78290f59d17321096edeabb609f54dd5913e4328afaef47b13fa6978beccaeec95c8a8003bacf5984ed1a6c7e9546c5e559e488dfeace104f82c87f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b5191c4081fcd8236a83817d3cc5349e

SHA1
29552af7f7271667d1dbc43f65309eefabbe5b6e

SHA256
85a5d6648c0beeba174fdbf7f33e080c7fb2f913f2e106e92869513516c2a32b

SHA512
0443f0fe54e34dd9b9130d08895564be0ae4ab898d1d80d93bb6169c51362bd94e8f71050e329590ab2389a41e5bd466b94138b2b9b0cfa878a49c9c63b71a3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
36e0266006f6b59851053120df6683bf

SHA1
740ef5b41918690fefaf43219238dac778782d8f

SHA256
1b254a7f9511333552ffba8a2838a322849db0b133b595eca5da95460dc41663

SHA512
bd62090faa8e41e6466375d27a0209ddf61ba64b09cb5f4c3b8258f7f9abb0583bd89f111e3f0893cab7929a1b3ab4c18b8ed7c35e7862ccb69265d338960e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe577e09.TMP

Filesize
48B

MD5
b90ac1b306e773370eb7637d29a1a7f2

SHA1
9dfdf578242107d4a56b59993090e57b57376428

SHA256
de631a493c606171077b054919d16f2d74dbe3c5762fa90b60b01191fb0195c2

SHA512
246608896bdf122e9e2b9b61dfed70e7c790628fd052053b69c3ec4fdc14bfd77ed1a0f355f45e49273cb6b534b25630228b9c4c7f3eb6eea403112a842bff44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
e0582021edd244f0f3d3315b6ce1b060

SHA1
4a00d193d6c7ce8d191aa90adf6161eeae2b0023

SHA256
2d6d2f99084fa39618622310fb90084138c74799e001a7d5ff348bb5150c73b4

SHA512
92267927e72d131d6a2c303f0ff172822521925d8639ef5628f88cc2c14dfdb45b4a8e5da8566878bf0a3dee0444ac76ff4cc4b3306777fbb8d9444c5968a02f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
85fd25ed0c3ea786ea77b1bdde8a1845

SHA1
fbe7e2f27ab980eece4d98d82074ef35cadf7ca2

SHA256
51d3ec8636bce625bd50bf4ebb52033a51f9212ad23e862d42df608ec9dc2c4d

SHA512
5a9eb4b68e61e2572701e118ef840a1729446f5a1a83d38599eec4de226cbce394633020973eb3aebc0a81768d9c8605a2c9e33ad4b80642dceb44f6b9fb461e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
8fe7bd6cd1d64bcdabbf2e2ae72c5a28

SHA1
5e1080c3b8cc4c5bffc73ffe6d45fa073335d0de

SHA256
5054cd4d79ca09e90169cdaee05c1e3dfc5d6fa1ad1275e11fd094521fed3fb8

SHA512
658004888ba70fa4a8c4b573d439496532c08b81afdc0b2419187c2ec9f3e42408d9a7c2bd2c73efd06fd5ada7ea57e1bb5d188e57ead32a7c0c900a82099f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
386c44d4c41d27709445d4f198838023

SHA1
0aa143134cb817134df0f1d3228273a95d809cba

SHA256
4eced13fe8ec1d8bd12e62f76c4d40bcb46d36df35d30726e76af5b7f4637187

SHA512
6e74bb1b0ec5e66b0a84e6c51f37746b012a2a48cbbb616545a95bd5c63708aa63e3ab85c48c32ac888aed35f1e826cab67e26ea0879c37a5a4e75441a9627e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6adc6184712aa16cd56c8056c1ad161b

SHA1
5b7947345d23ac7a61697d6b988d3aaee719fdb3

SHA256
3658956276e96b6fb40923996f6ab17e5d939136d9684fa027e171e53bd73c9f

SHA512
cc4eef58a268b6f7929c02efa4bbee064639b93b0f309f3d2cfed5d634ce7d3074a7138557aa849cfbfe9fee93c700a9ab6966e2741c3ba1ceb90a60d4a6ffc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45b8309f31494e614d8c7aca0387e4cd

SHA1
9c87d45ad1765ded725892123de07960ef9091f9

SHA256
71a41cc9ebd66c35d06332b3636ae138a630ee178a7ecd12018fc8db6a350b3a

SHA512
8969f3c2ad12ae370b348384677d7da12b0c87fc2ad48e813052e1b8275d49dd573617d88687775f5c267e858e783daa36e4e892bd8d22f86d3b45aabbb2bf9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
704b4174b1ffd71ba75745e210b05c64

SHA1
472b35a772b4daeb1f67f4763f24b5751d825537

SHA256
4642944f532e13cda605e65c38131a1d58a79304599fd0e7ebf593bd77a22426

SHA512
cb8fdc832a26b78acf7207d5a9422613fb64f2aa6ae98b4c3459a537f0e0d0a78db574bc6d5f4693e12ce04bf82ad2f8dbdf2267f94342ebdd10db442c05cc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3cd63f0d3c7536f6b18ffc9cb6e51d69

SHA1
a76e2afe6a182700ff9d44e9c173d2f0966681d5

SHA256
292aa51626cec83a152b47e0824ab0a28d6ef30838a019ad51430e0e1f520a37

SHA512
ec206540a216044e782ab9182165c2470f1b558de3955df9281fbe34b069ae241b5989cd28f244b241de48a9082f914d9e5662b8819bc07e425404ce924ecfc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
369d57db3d85a6691647fa055c4c2de3

SHA1
6b1ddb3e0da9b2afee0bea0fc19e3e83c3ea5ad3

SHA256
39ea24e33cfd6e3c78fa5eea9f3dcdba416e49bdff43465ccb7f3b001b2101d8

SHA512
33731819732636ac6bd9ed535587cdd9405400ad042752135a7d152df662652f8ce65ab513ad840b2453655cf5903b77076f685eddaaad2dd2230db4693cbd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\75F1.tmp\75F2.tmp\75F3.bat

Filesize
845B

MD5
54d18c0e0a34808017e53029d7875c09

SHA1
bca96014c545bd02f964cc3dd368b5c6ce9f2963

SHA256
6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

SHA512
95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\D279.tmp\D27A.tmp\D27B.bat

Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit
C:\Users\Admin\AppData\Local\Temp\F230.tmp\F231.tmp\F232.bat

Filesize
39B

MD5
a9832ef693180ebedb5b6ed08f0b3227

SHA1
b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

SHA256
9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

SHA512
fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5644.tmp

Filesize
1KB

MD5
b0d3453abcdf117081564bc9af1f0cb3

SHA1
d7824c4c7250ca80c4757097025ca0daf22e431c

SHA256
c24bf109fb5214993df439fc94805ca5f8fc15bce6557bf21980fb36a28ffdfc

SHA512
94dd72fbb9e3190fea5832bf056e87c780aad7636c7ca2017dfc46fd983c6b8493d06d9aa94086e7605d95fb3aa60d9eea697d3cc8c0a3f78a64fc4ca81156c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33agdpmf.5nr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbfuwy3t\mbfuwy3t.dll

Filesize
3KB

MD5
31aa23a9bb803c60c60992093db7a0a3

SHA1
f8ee5454a7d236b8cf314fbcabc8403fab771bcf

SHA256
34e51312f8b392168dbf823b6882ee3e3719cf4bfe9dd1cba64c7ad65cfde3da

SHA512
caf5fe743bf5a293436c39bf269fd0fd380cdd4822a2c91ccb021f696692da239312bc564dc9c6c8cfa2873078c655c36ff6b626c26c82e4435e34c738c6b9ee

Download Submit
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe

Filesize
43KB

MD5
6fbe881f1d6480e2e15d3ebe0f493d2d

SHA1
f698079150df242e156223f1b3e46f449bc01415

SHA256
49b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c

SHA512
2084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef

Download Submit
C:\Users\Admin\AppData\Roaming\3combined.bat

Filesize
9KB

MD5
fe08457e445b8d321ef2d11e1c0a7df8

SHA1
283870fefe6cf810c99c8169db8714aff705e8a7

SHA256
b1f21bf6eb0a6d0390b66346f8fccd443ec849d9a5c48bfdb24797f5764fdd3a

SHA512
45545328fdd9b5d1ff1e31fd400d5a90d1e833a5f36f9410890646b03b98f8a67f1bc003dc73a8eef75295704d9288378c38c146e6a38bd0e17685714dbbcca3

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe

Filesize
219KB

MD5
9353ed7c3ba8e2417ce2664ae7afac16

SHA1
05699a2a2792795db1d8f59273172ad80bdc8b06

SHA256
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628

SHA512
cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner8.exe

Filesize
156KB

MD5
3546548be0b0940c52ec881d48404818

SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c

SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

Download Submit
C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe

Filesize
219KB

MD5
303dbf6d5ce6b658919091240d5a4a80

SHA1
d45946e1d3c4d973042e0c1bdd88fbc1774f1385

SHA256
70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

SHA512
666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

Download Submit
C:\Users\Admin\AppData\Roaming\UCORESYS.sys

Filesize
15KB

MD5
9555d36fb21b993e5c4b98c2fc2b3671

SHA1
210a98be7da32cea98618c5a9640c23ce518c0ee

SHA256
fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981

SHA512
3ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60

Download Submit
C:\Users\Admin\AppData\Roaming\UCOREW64.sys

Filesize
14KB

MD5
a17c58c0582ee560c72f60764ed63224

SHA1
bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825

SHA256
a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200

SHA512
a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063

Download Submit
C:\Users\Admin\AppData\Roaming\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe

Filesize
103KB

MD5
59a7ce7a4d30e28e6bc356263693eb98

SHA1
a6ace03c0f719ce2e4f9839d0917778a5e798340

SHA256
baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d

SHA512
8e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\devcon.exe

Filesize
80KB

MD5
d153a0bc6f0476457b56fc38795dea01

SHA1
eb3c25afab996b84c52619c6f676d0663c241e01

SHA256
df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7

SHA512
6322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414

Download Submit
C:\Users\Admin\AppData\Roaming\reset_adapters.exe

Filesize
335KB

MD5
bd624e99155ffa5868f39c73a1513cee

SHA1
0a6c46d21faefaf29c992193e5dac6b4b4a58719

SHA256
4f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8

SHA512
46471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c

Download Submit
C:\Users\Admin\Desktop\WinActivation.exe

Filesize
703KB

MD5
8c1d40db6464fd098716a317486db961

SHA1
4b4d82e0a91f11e1348488b9e9edd43697d9db67

SHA256
7b9723c3ca58ecdde9af2dd2215e00fa7c7692e960242d9c6b2e80ab45fc90d5

SHA512
16c868e227c4928dfcc116ba6e9d93c22418936cad625cd48645abb96229d31ee1329105097d2e7f36f6382e214dfd54e1eb92842bcc45edd978f64da6c4c6dd

Download Submit
C:\Users\Admin\Desktop\spoofer.exe

Filesize
9.4MB

MD5
80ec9fe0e6a95907f78b6038623c8618

SHA1
42b44edc959f80a9a5a48e2aca4104912044b891

SHA256
e9444aab090e91374385729b93f05668504a966d2bb00b516dfd6abb961f4c0f

SHA512
e66550f70b85ca12c51b8a6cc91b370a7f4d734c19ae20c1f4a8f9495cc9222cefe0202ca016c1b14ce71ab6bfc4211c1d7c897493f12eae1ff4ebfaaeb77e90

Download Submit
C:\Users\Admin\Downloads\spoofer_4u4play_password.tar

Filesize
9.3MB

MD5
8cce6cc6f5d97e2d38939b476aa34325

SHA1
acf449b2da5f806df40b07cee9000de8a99c7e1f

SHA256
4d962800348669bd9b1b2a5178b4573213a5bcc770b472b5696c2478688c71bd

SHA512
6fe36bab73615744aeb5e81bd5ee83b39180635107b76e498c6e7986db119265d44ceccb354e17946e66be83445ef3034d58259090fe4f6b686730ac6c2eea45

Download Submit
C:\Windows\IME\permissions.bat

Filesize
162B

MD5
4be7ca8b30ea192628228857b5005655

SHA1
588a60df54f8ff2924b2fd569dfc39ce5ae17cfd

SHA256
5e56203e437e3a219fcc9f295c8bcf31961585de816212ce0a6a306a465bc853

SHA512
169b735f5b72ff12910451cf9fbab231b0d9e8b9481f9e01824e5c85075caf17283bb4a54353a9c5958c5ff7eebc6dc932630c1e824be5ebe416bc608306c7b4

Download Submit
C:\Windows\IME\reset.bat

Filesize
325B

MD5
939378e1c9e25f424c618a379e61fc48

SHA1
45822124d56b6e6efcfbaab246feff695b7098d4

SHA256
fd805584b817ad0b320c85653a5bd7342650359feae60e5a3e722d5571542146

SHA512
3833f14692f5cdfea285654f91ac814a89bf189a4db99b0fc1e817905d9929f6f4b184db5a51269f9b82170a14af2c5e0510150201cea03177cab04fb26494fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbfuwy3t\CSC569560FC2810416B9EAEB6B94094892E.TMP

Filesize
652B

MD5
b0e5e57200288fda6c6d0e3600f4e7b7

SHA1
8f50c53acf8987d34d382b395a2a59c620dc1059

SHA256
1b81d75a83fba4c22918ff77ae2d0c2ac48f3966ef187ca420644eea5f7841d3

SHA512
60fa24f96c7d3ec8862ec8c1d3a9682bd6b0ed5ee30483c1faa1a0e5db003cf33a07c0fb6537ea571e4c488f81af64b4d4ac334d700cacebe69c6b68d4215087

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbfuwy3t\mbfuwy3t.0.cs

Filesize
907B

MD5
d98b32865e5bd9376502ce614141b7fa

SHA1
673d622933fbdb9aaafaf847c3cb8f1ce4b18cbc

SHA256
6d21e15bcaebe4b6461790fbe39381ef6dc736eec19a66e80ee15caf4680fe00

SHA512
28f4ec12ba6b47af36e288a81de46ce017144416626c50c4266207f92ac5d4b532691e1ee5a3cf54abc0c567e5cd60fb3d3180e8829cdbfab98013d45377ddb0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mbfuwy3t\mbfuwy3t.cmdline

Filesize
369B

MD5
5b966584c1f8cd012f0e665ae9b7e063

SHA1
69af1bee02fa366085986eddbd8e584927ba03a3

SHA256
7cef8ffed2f518a46bce310f1f2accab03a9a0e75f974a55428eca3649d4d332

SHA512
2ed9c1c5e023e1b4cfc8baa0e4a57653d255d76ef06d5a61e4b4a05633afb7d1bd57d2d1a3b129ce15cbfc83597aced4fe06de0a3b8ab5c261c6730f3eaaa4e0

Download Submit
\??\pipe\crashpad_2516_HZXWDVRLAVOCTZTY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/8-375-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/8-363-0x00000256C09F0000-0x00000256C0A00000-memory.dmp

Filesize
64KB

Download
memory/8-362-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/2884-324-0x0000022FEC510000-0x0000022FEC532000-memory.dmp

Filesize
136KB

Download
memory/2884-325-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/2884-326-0x0000022FEBC20000-0x0000022FEBC30000-memory.dmp

Filesize
64KB

Download
memory/2884-327-0x0000022FEBC20000-0x0000022FEBC30000-memory.dmp

Filesize
64KB

Download
memory/2884-330-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/3048-487-0x000001B9C95C0000-0x000001B9C95E4000-memory.dmp

Filesize
144KB

Download
memory/3048-482-0x00007FFE82A90000-0x00007FFE83551000-memory.dmp

Filesize
10.8MB

Download
memory/3048-500-0x000001B9C9320000-0x000001B9C9328000-memory.dmp

Filesize
32KB

Download
memory/3048-486-0x000001B9C95C0000-0x000001B9C95EA000-memory.dmp

Filesize
168KB

Download
memory/3048-503-0x00007FFE82A90000-0x00007FFE83551000-memory.dmp

Filesize
10.8MB

Download
memory/3048-484-0x000001B9C9340000-0x000001B9C9350000-memory.dmp

Filesize
64KB

Download
memory/3048-483-0x000001B9C9340000-0x000001B9C9350000-memory.dmp

Filesize
64KB

Download
memory/3064-390-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/3064-388-0x00000200AB560000-0x00000200AB570000-memory.dmp

Filesize
64KB

Download
memory/3064-387-0x00000200AB560000-0x00000200AB570000-memory.dmp

Filesize
64KB

Download
memory/3064-386-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/3784-396-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/3784-402-0x0000027F6DD40000-0x0000027F6DD50000-memory.dmp

Filesize
64KB

Download
memory/3784-405-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/3784-401-0x0000027F6DD40000-0x0000027F6DD50000-memory.dmp

Filesize
64KB

Download
memory/3972-347-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/3972-348-0x000001E40D560000-0x000001E40D570000-memory.dmp

Filesize
64KB

Download
memory/3972-349-0x000001E40D560000-0x000001E40D570000-memory.dmp

Filesize
64KB

Download
memory/3972-361-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/4376-513-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4376-515-0x0000000075250000-0x0000000075A00000-memory.dmp

Filesize
7.7MB

Download
memory/4376-512-0x0000000000010000-0x0000000000030000-memory.dmp

Filesize
128KB

Download
memory/4436-332-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download
memory/4436-342-0x000001F57D850000-0x000001F57D860000-memory.dmp

Filesize
64KB

Download
memory/4436-343-0x000001F57D850000-0x000001F57D860000-memory.dmp

Filesize
64KB

Download
memory/4436-346-0x00007FFE862D0000-0x00007FFE86D91000-memory.dmp

Filesize
10.8MB

Download

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656

pid	process
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656
656