rhysida | b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692

Resubmissions

09-04-2024 07:34

240409-jebtcach7x 10

09-04-2024 07:33

09-04-2024 07:33

09-04-2024 07:33

16-12-2023 05:07

Analysis

max time kernel
217s
max time network
276s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
09-04-2024 07:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
Size

497KB
MD5

5f3ecd02a94cec2b62bfecd79f5a1d98
SHA1

2cd65d6d0cb10b8d061ee33133f0f98f86917265
SHA256

b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692
SHA512

254949d3932a915394dec0eca359291baa8963e0cab55d28af02c678ce9841a3dad9b2d28e911f51655d8a52cf7d7379b446c0a2917b6e083abf95a1aa68dfee
SSDEEP

6144:rFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:IqnTp7N78Y5e5gUG9o/

Score

10^/10

rhysida evasion ransomware spyware stealer

Malware Config

Signatures

Detect Rhysida ransomware 5 IoCs

resource	yara_rule
behavioral4/memory/1136-8394-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral4/memory/1136-13224-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral4/memory/1136-13225-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral4/memory/1136-13227-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral4/memory/1136-13246-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida

Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
ransomware rhysida

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
5964	wevtutil.exe
6012	wevtutil.exe
3940	wevtutil.exe
1008	wevtutil.exe
2808	wevtutil.exe
1388	wevtutil.exe
2012	wevtutil.exe
4660	wevtutil.exe
4984	wevtutil.exe
3044	wevtutil.exe
5996	Process not Found
5624	wevtutil.exe
2360	wevtutil.exe
2876	wevtutil.exe
3972	Process not Found
1104	wevtutil.exe
2408	wevtutil.exe
5012	wevtutil.exe
676	wevtutil.exe
6048	wevtutil.exe
2220	wevtutil.exe
1920	wevtutil.exe
5640	wevtutil.exe
2036	wevtutil.exe
6804	Process not Found
5620	wevtutil.exe
228	wevtutil.exe
5504	wevtutil.exe
784	wevtutil.exe
5716	wevtutil.exe
2696	wevtutil.exe
6820	Process not Found
6192	wevtutil.exe
2540	wevtutil.exe
5140	wevtutil.exe
3912	wevtutil.exe
420	wevtutil.exe
5452	wevtutil.exe
1912	Process not Found
1704	wevtutil.exe
408	wevtutil.exe
1008	wevtutil.exe
4508	wevtutil.exe
32	Process not Found
4808	wevtutil.exe
6152	wevtutil.exe
2004	wevtutil.exe
2376	wevtutil.exe
6000	wevtutil.exe
2708	wevtutil.exe
5980	wevtutil.exe
6512	wevtutil.exe
2908	wevtutil.exe
7080	wevtutil.exe
5560	wevtutil.exe
6972	wevtutil.exe
1032	wevtutil.exe
3664	wevtutil.exe
6076	wevtutil.exe
6616	wevtutil.exe
5232	Process not Found
4068	wevtutil.exe
3124	wevtutil.exe
4692	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (8341) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg"	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1CACH.LEX.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\da.pak.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\osmux.x-none.msi.16.x-none.vreg.dat.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ul-oob.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Extensions\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\tr\msipc.dll.mui.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest2-ul-oob.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\THMBNAIL.PNG.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\download-btn.png.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xsl.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateCCFiles_280x192.svg.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\hi.pak.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ul-oob.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\EdgeWebView.dat.DATA.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemui.msi.16.en-us.tree.dat.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-pl.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\ACADEMIC.ONE.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.TLB.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Notifications\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\es.pak.DATA.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\kn.pak.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_KMS_ClientC2R-ul.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\vlc.mo.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\JPEGIM32.FLT.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\editpdf-tool-view.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-pl.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3668	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5988	Process not Found

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
308	Process not Found
308	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2208	vssvc.exe
Token: SeRestorePrivilege	2208	vssvc.exe
Token: SeAuditPrivilege	2208	vssvc.exe
Token: SeSecurityPrivilege	6668	wevtutil.exe
Token: SeBackupPrivilege	6668	wevtutil.exe
Token: SeSecurityPrivilege	4916	wevtutil.exe
Token: SeBackupPrivilege	4916	wevtutil.exe
Token: SeSecurityPrivilege	6300	wevtutil.exe
Token: SeBackupPrivilege	6300	wevtutil.exe
Token: SeSecurityPrivilege	384	wevtutil.exe
Token: SeBackupPrivilege	384	wevtutil.exe
Token: SeSecurityPrivilege	2220	wevtutil.exe
Token: SeBackupPrivilege	2220	wevtutil.exe
Token: SeSecurityPrivilege	2348	wevtutil.exe
Token: SeBackupPrivilege	2348	wevtutil.exe
Token: SeSecurityPrivilege	2992	wevtutil.exe
Token: SeBackupPrivilege	2992	wevtutil.exe
Token: SeSecurityPrivilege	5848	wevtutil.exe
Token: SeBackupPrivilege	5848	wevtutil.exe
Token: SeSecurityPrivilege	6992	wevtutil.exe
Token: SeBackupPrivilege	6992	wevtutil.exe
Token: SeSecurityPrivilege	5716	wevtutil.exe
Token: SeBackupPrivilege	5716	wevtutil.exe
Token: SeSecurityPrivilege	2716	wevtutil.exe
Token: SeBackupPrivilege	2716	wevtutil.exe
Token: SeSecurityPrivilege	3048	wevtutil.exe
Token: SeBackupPrivilege	3048	wevtutil.exe
Token: SeSecurityPrivilege	6192	wevtutil.exe
Token: SeBackupPrivilege	6192	wevtutil.exe
Token: SeSecurityPrivilege	6652	wevtutil.exe
Token: SeBackupPrivilege	6652	wevtutil.exe
Token: SeSecurityPrivilege	5140	wevtutil.exe
Token: SeBackupPrivilege	5140	wevtutil.exe
Token: SeSecurityPrivilege	3152	wevtutil.exe
Token: SeBackupPrivilege	3152	wevtutil.exe
Token: SeSecurityPrivilege	4736	wevtutil.exe
Token: SeBackupPrivilege	4736	wevtutil.exe
Token: SeSecurityPrivilege	6260	wevtutil.exe
Token: SeBackupPrivilege	6260	wevtutil.exe
Token: SeSecurityPrivilege	5964	wevtutil.exe
Token: SeBackupPrivilege	5964	wevtutil.exe
Token: SeSecurityPrivilege	2000	wevtutil.exe
Token: SeBackupPrivilege	2000	wevtutil.exe
Token: SeSecurityPrivilege	552	wevtutil.exe
Token: SeBackupPrivilege	552	wevtutil.exe
Token: SeSecurityPrivilege	5192	wevtutil.exe
Token: SeBackupPrivilege	5192	wevtutil.exe
Token: SeSecurityPrivilege	6284	wevtutil.exe
Token: SeBackupPrivilege	6284	wevtutil.exe
Token: SeSecurityPrivilege	5176	wevtutil.exe
Token: SeBackupPrivilege	5176	wevtutil.exe
Token: SeSecurityPrivilege	4212	wevtutil.exe
Token: SeBackupPrivilege	4212	wevtutil.exe
Token: SeSecurityPrivilege	6140	wevtutil.exe
Token: SeBackupPrivilege	6140	wevtutil.exe
Token: SeSecurityPrivilege	6840	wevtutil.exe
Token: SeBackupPrivilege	6840	wevtutil.exe
Token: SeSecurityPrivilege	4636	wevtutil.exe
Token: SeBackupPrivilege	4636	wevtutil.exe
Token: SeSecurityPrivilege	424	wevtutil.exe
Token: SeBackupPrivilege	424	wevtutil.exe
Token: SeSecurityPrivilege	4872	wevtutil.exe
Token: SeBackupPrivilege	4872	wevtutil.exe
Token: SeSecurityPrivilege	7104	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 6704	1136	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	78
PID 1136 wrote to memory of 6704	1136	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	78
PID 6704 wrote to memory of 5720	6704	cmd.exe	80
PID 6704 wrote to memory of 5720	6704	cmd.exe	80
PID 5720 wrote to memory of 3668	5720	cmd.exe	81
PID 5720 wrote to memory of 3668	5720	cmd.exe	81
PID 1136 wrote to memory of 6356	1136	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	84
PID 1136 wrote to memory of 6356	1136	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	84
PID 6356 wrote to memory of 6148	6356	cmd.exe	86
PID 6356 wrote to memory of 6148	6356	cmd.exe	86
PID 6148 wrote to memory of 4944	6148	cmd.exe	87
PID 6148 wrote to memory of 4944	6148	cmd.exe	87
PID 4944 wrote to memory of 6668	4944	cmd.exe	88
PID 4944 wrote to memory of 6668	4944	cmd.exe	88
PID 6148 wrote to memory of 4916	6148	cmd.exe	89
PID 6148 wrote to memory of 4916	6148	cmd.exe	89
PID 6148 wrote to memory of 6300	6148	cmd.exe	90
PID 6148 wrote to memory of 6300	6148	cmd.exe	90
PID 6148 wrote to memory of 384	6148	cmd.exe	91
PID 6148 wrote to memory of 384	6148	cmd.exe	91
PID 6148 wrote to memory of 2220	6148	cmd.exe	92
PID 6148 wrote to memory of 2220	6148	cmd.exe	92
PID 6148 wrote to memory of 2348	6148	cmd.exe	93
PID 6148 wrote to memory of 2348	6148	cmd.exe	93
PID 6148 wrote to memory of 2992	6148	cmd.exe	94
PID 6148 wrote to memory of 2992	6148	cmd.exe	94
PID 6148 wrote to memory of 5848	6148	cmd.exe	95
PID 6148 wrote to memory of 5848	6148	cmd.exe	95
PID 6148 wrote to memory of 6992	6148	cmd.exe	96
PID 6148 wrote to memory of 6992	6148	cmd.exe	96
PID 6148 wrote to memory of 5716	6148	cmd.exe	97
PID 6148 wrote to memory of 5716	6148	cmd.exe	97
PID 6148 wrote to memory of 2716	6148	cmd.exe	98
PID 6148 wrote to memory of 2716	6148	cmd.exe	98
PID 6148 wrote to memory of 3048	6148	cmd.exe	99
PID 6148 wrote to memory of 3048	6148	cmd.exe	99
PID 6148 wrote to memory of 6192	6148	cmd.exe	100
PID 6148 wrote to memory of 6192	6148	cmd.exe	100
PID 6148 wrote to memory of 6652	6148	cmd.exe	101
PID 6148 wrote to memory of 6652	6148	cmd.exe	101
PID 6148 wrote to memory of 5140	6148	cmd.exe	102
PID 6148 wrote to memory of 5140	6148	cmd.exe	102
PID 6148 wrote to memory of 3152	6148	cmd.exe	103
PID 6148 wrote to memory of 3152	6148	cmd.exe	103
PID 6148 wrote to memory of 4736	6148	cmd.exe	104
PID 6148 wrote to memory of 4736	6148	cmd.exe	104
PID 6148 wrote to memory of 6260	6148	cmd.exe	105
PID 6148 wrote to memory of 6260	6148	cmd.exe	105
PID 6148 wrote to memory of 5964	6148	cmd.exe	106
PID 6148 wrote to memory of 5964	6148	cmd.exe	106
PID 6148 wrote to memory of 2000	6148	cmd.exe	107
PID 6148 wrote to memory of 2000	6148	cmd.exe	107
PID 6148 wrote to memory of 552	6148	cmd.exe	108
PID 6148 wrote to memory of 552	6148	cmd.exe	108
PID 6148 wrote to memory of 5192	6148	cmd.exe	109
PID 6148 wrote to memory of 5192	6148	cmd.exe	109
PID 6148 wrote to memory of 6284	6148	cmd.exe	110
PID 6148 wrote to memory of 6284	6148	cmd.exe	110
PID 6148 wrote to memory of 5176	6148	cmd.exe	111
PID 6148 wrote to memory of 5176	6148	cmd.exe	111
PID 6148 wrote to memory of 4212	6148	cmd.exe	112
PID 6148 wrote to memory of 4212	6148	cmd.exe	112
PID 6148 wrote to memory of 6140	6148	cmd.exe	113
PID 6148 wrote to memory of 6140	6148	cmd.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
"C:\Users\Admin\AppData\Local\Temp\2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6704
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5720
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6356
- - C:\Windows\system32\cmd.exe
    cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4944
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AMSI/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AirSpaceChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "FirstUXPerf-Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "General Logging"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:6192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "IHM_DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:5964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationFrameServer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProcD3D"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationAsyncWrapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationContentProtection"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDS"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMP4"
      4⤵
      PID:5776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMediaEngine"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      PID:5884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformanceCore"
      4⤵
      PID:3344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      PID:3312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      PID:6208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationSrcPrefetch"
      4⤵
      PID:6268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
      4⤵
      PID:5892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Admin"
      4⤵
      PID:7036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Debug"
      4⤵
      PID:5300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Operational"
      4⤵
      PID:4940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
      4⤵
      PID:1108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
      4⤵
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
      4⤵
      PID:6220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      PID:2312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:5544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
      4⤵
      PID:6572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:6876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      PID:5352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-System-Diagnostics-DiagnosticInvoker/Operational"
      4⤵
      PID:948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      PID:6552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      PID:2044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:5836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      Clears Windows event logs
      PID:6512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:4400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      PID:3144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:5288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      Clears Windows event logs
      PID:5620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      Clears Windows event logs
      PID:5452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:3908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
      4⤵
      PID:4268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
      4⤵
      PID:1880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:5732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
      4⤵
      PID:1892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      PID:5204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:7044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      PID:6912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
      4⤵
      PID:3068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
      4⤵
      PID:6500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
      4⤵
      PID:5520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
      4⤵
      PID:1956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
      4⤵
      PID:4060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
      4⤵
      PID:5816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:3800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:2928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:2856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:7072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
      4⤵
      PID:5704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
      4⤵
      PID:5504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
      4⤵
      PID:6024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
      4⤵
      PID:8
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
      4⤵
      PID:4424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
      4⤵
      PID:5740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
      4⤵
      PID:5680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
      4⤵
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
      4⤵
      PID:5588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppSruProv"
      4⤵
      PID:5416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
      4⤵
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
      4⤵
      PID:5308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
      4⤵
      PID:5996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
      4⤵
      PID:6872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
      4⤵
      PID:5536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
      4⤵
      Clears Windows event logs
      PID:5624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
      4⤵
      PID:5932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
      4⤵
      PID:7132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:5656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:1924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:2652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
      4⤵
      PID:5208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:5980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:4748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
      4⤵
      PID:6816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:4016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:1216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:5552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
      4⤵
      PID:7052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
      4⤵
      PID:5868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
      4⤵
      PID:5312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
      4⤵
      PID:4504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
      4⤵
      PID:5168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
      4⤵
      Clears Windows event logs
      PID:4068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
      4⤵
      PID:5744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
      4⤵
      PID:6680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
      4⤵
      PID:5188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:5412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
      4⤵
      PID:4552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
      4⤵
      PID:6340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:5496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:7076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
      4⤵
      PID:7068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
      4⤵
      PID:7124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
      4⤵
      PID:6560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
      4⤵
      PID:1700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
      4⤵
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:5344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
      4⤵
      PID:2512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
      4⤵
      PID:1624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
      4⤵
      PID:6584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
      4⤵
      PID:4052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
      4⤵
      PID:5200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
      4⤵
      PID:3136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:6264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
      4⤵
      PID:6040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
      4⤵
      PID:5136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
      4⤵
      PID:3128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:6088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:1212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:3428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
      4⤵
      PID:3788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:5748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
      4⤵
      PID:5372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:5572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:6008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
      4⤵
      PID:2820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
      4⤵
      PID:4688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:6464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
      4⤵
      PID:6592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:7144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
      4⤵
      PID:6448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:6032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:6176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:7004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:3988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
      4⤵
      PID:6632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
      4⤵
      PID:6064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Call"
      4⤵
      PID:2300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
      4⤵
      PID:6096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
      4⤵
      PID:6108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
      4⤵
      PID:1052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
      4⤵
      PID:6028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
      4⤵
      PID:1096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
      4⤵
      PID:6000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:6888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:2740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
      4⤵
      PID:5976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:6156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
      4⤵
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
      4⤵
      PID:6316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:3004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:3556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:5696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:1220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
      4⤵
      PID:6676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
      4⤵
      PID:5296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
      4⤵
      PID:6252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
      4⤵
      PID:6932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
      4⤵
      PID:4892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
      4⤵
      PID:6544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
      4⤵
      PID:4160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
      4⤵
      PID:6624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
      4⤵
      PID:6444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
      4⤵
      PID:5408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
      4⤵
      PID:3056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
      4⤵
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:2192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:6016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
      4⤵
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
      4⤵
      PID:2500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
      4⤵
      Clears Windows event logs
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
      4⤵
      PID:5888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
      4⤵
      Clears Windows event logs
      PID:2540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
      4⤵
      PID:6776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
      4⤵
      PID:6360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
      4⤵
      PID:6588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      Clears Windows event logs
      PID:4808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
      4⤵
      PID:3532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:4728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:4904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
      4⤵
      Clears Windows event logs
      PID:1920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
      4⤵
      PID:4912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:6504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
      4⤵
      Clears Windows event logs
      PID:6152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:4256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
      4⤵
      PID:4760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
      4⤵
      PID:6964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
      4⤵
      PID:6288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
      4⤵
      PID:304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:6832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:6900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:5988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:6796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
      4⤵
      PID:2476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
      4⤵
      PID:6240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
      4⤵
      PID:2952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:6640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:6424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
      4⤵
      PID:892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
      4⤵
      PID:1888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
      4⤵
      PID:5736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
      4⤵
      PID:2684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
      4⤵
      PID:4032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
      4⤵
      PID:5676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
      4⤵
      PID:2680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
      4⤵
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
      4⤵
      PID:5468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
      4⤵
      Clears Windows event logs
      PID:1388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
      4⤵
      PID:6936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot"
      4⤵
      PID:2420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
      4⤵
      PID:5692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
      4⤵
      Clears Windows event logs
      PID:4660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
      4⤵
      PID:3040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
      4⤵
      PID:976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
      4⤵
      PID:6344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
      4⤵
      PID:5580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:3292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:6364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
      4⤵
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:6140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:6840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:7104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      PID:5776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      Clears Windows event logs
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
      4⤵
      PID:5884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:3344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:3312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:6208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:6268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:5892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:7036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:5300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:4940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:1108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:6220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:2312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:5544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:6572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:6876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:5352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:2980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:6552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:5836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:6512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:4400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:3144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:5288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:6596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
      4⤵
      PID:1248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
      4⤵
      PID:6160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
      4⤵
      PID:5484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
      4⤵
      PID:5324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
      4⤵
      PID:5576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
      4⤵
      PID:5340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:3648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:5348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      PID:6564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:5608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:2528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:2664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
      4⤵
      PID:1748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
      4⤵
      PID:5616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:5564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:5704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:6024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
      4⤵
      PID:8
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
      4⤵
      PID:4424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
      4⤵
      PID:5740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
      4⤵
      PID:5680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
      4⤵
      PID:6236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
      4⤵
      PID:5752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
      4⤵
      PID:776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:5388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:2596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:2424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
      4⤵
      PID:5936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
      4⤵
      PID:5932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
      4⤵
      PID:5920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
      4⤵
      PID:6684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
      4⤵
      PID:6976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:3792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:2176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:6804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
      4⤵
      PID:3132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
      4⤵
      Clears Windows event logs
      PID:1032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
      4⤵
      PID:1980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
      4⤵
      PID:3108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:3284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
      4⤵
      PID:6828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
      4⤵
      PID:1516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorClass/Operational"
      4⤵
      PID:5228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
      4⤵
      PID:5212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:3356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:5668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:7012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:6428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:5376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:5584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:5440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
      4⤵
      PID:3032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
      4⤵
      PID:928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
      4⤵
      PID:112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
      4⤵
      PID:832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
      4⤵
      PID:5476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
      4⤵
      PID:5596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
      4⤵
      PID:1948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
      4⤵
      PID:2744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
      4⤵
      PID:5664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
      4⤵
      PID:4732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
      4⤵
      PID:6080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
      4⤵
      PID:4700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
      4⤵
      PID:2864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
      4⤵
      PID:5992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
      4⤵
      PID:5924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
      4⤵
      PID:6072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
      4⤵
      PID:5152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:4896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:6528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:4336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:5232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:4456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
      4⤵
      PID:1660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
      4⤵
      Clears Windows event logs
      PID:3124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:6476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      Clears Windows event logs
      PID:2908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:2352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
      4⤵
      PID:6224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:7060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:1900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:5500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
      4⤵
      PID:5424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
      4⤵
      PID:5488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
      4⤵
      PID:5840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:4252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
      4⤵
      PID:2080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
      4⤵
      PID:6952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
      4⤵
      PID:6960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
      4⤵
      PID:6112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
      4⤵
      PID:6908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
      4⤵
      PID:1000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
      4⤵
      PID:6924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
      4⤵
      PID:6404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-KMCL-Child/Analytic"
      4⤵
      PID:6368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
      4⤵
      PID:4976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
      4⤵
      PID:6492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
      4⤵
      PID:4548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:6004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      PID:5648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
      4⤵
      PID:5304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
      4⤵
      PID:3652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
      4⤵
      PID:7032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
      4⤵
      PID:708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
      4⤵
      PID:6920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
      4⤵
      PID:5808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
      4⤵
      PID:2244
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
      4⤵
      PID:640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
      4⤵
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
      4⤵
      PID:6328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
      4⤵
      PID:5360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
      4⤵
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
      4⤵
      PID:6756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
      4⤵
      PID:6848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:6700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
      4⤵
      PID:4716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
      4⤵
      PID:7024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
      4⤵
      PID:5956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
      4⤵
      PID:4448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
      4⤵
      PID:6612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
      4⤵
      PID:5800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:6968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:3660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:7056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
      4⤵
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
      4⤵
      PID:5712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
      4⤵
      PID:4984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
      4⤵
      PID:6740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
      4⤵
      PID:3912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
      4⤵
      PID:4492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
      4⤵
      PID:4440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:4248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-CPU-Starvation/Operational"
      4⤵
      PID:3940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Cache/Operational"
      4⤵
      PID:6400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:5880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Dump/Operational"
      4⤵
      Clears Windows event logs
      PID:7080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:6312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:2316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
      4⤵
      PID:2288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
      4⤵
      PID:6724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
      4⤵
      PID:6420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
      4⤵
      PID:300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:4572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PRM/Operational"
      4⤵
      PID:3668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
      4⤵
      PID:5720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
      4⤵
      PID:2336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
      4⤵
      PID:2448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Management"
      4⤵
      PID:6668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:4916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:2896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:2348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:2992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:5848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:6992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
      4⤵
      PID:2716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
      4⤵
      PID:5660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
      4⤵
      PID:6192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
      4⤵
      PID:1044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      Clears Windows event logs
      PID:5140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:3152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:6260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:5964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:4920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:5856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
      4⤵
      Clears Windows event logs
      PID:6012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
      4⤵
      PID:6324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
      4⤵
      PID:2012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
      4⤵
      PID:1804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:6660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:6480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:5960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
      4⤵
      PID:5796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
      4⤵
      PID:5148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:6972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:2436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:2232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
      4⤵
      PID:5764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
      4⤵
      PID:5284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
      4⤵
      PID:4696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
      4⤵
      PID:5404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
      4⤵
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
      4⤵
      Clears Windows event logs
      PID:5560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:6036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:4444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:6696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:3116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:5556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:6672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
      4⤵
      PID:4724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
      4⤵
      PID:6916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
      4⤵
      PID:2876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:6876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:5780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:5180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
      4⤵
      PID:5164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:4500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
      4⤵
      PID:5420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
      4⤵
      PID:4048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
      4⤵
      PID:4592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
      4⤵
      PID:6548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
      4⤵
      PID:5240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:4756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
      4⤵
      PID:5604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
      4⤵
      PID:780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Diagnostics"
      4⤵
      PID:5204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
      4⤵
      PID:7000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MosHost/Operational"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MosHost/Performance"
      4⤵
      PID:5772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
      4⤵
      PID:4272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:5540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:5248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:2608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:1972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:5268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      Clears Windows event logs
      PID:1704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:6792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
      4⤵
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
      4⤵
      PID:2196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
      4⤵
      PID:5428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
      4⤵
      Clears Windows event logs
      PID:2408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
      4⤵
      PID:7160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:5444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
      4⤵
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
      4⤵
      PID:5916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-ExecutionContext/Operational"
      4⤵
      PID:5700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
      4⤵
      PID:5156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:4488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
      4⤵
      PID:5636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:1492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:5308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      Clears Windows event logs
      PID:408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
      4⤵
      PID:5852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
      4⤵
      Clears Windows event logs
      PID:3664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
      4⤵
      PID:6856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
      4⤵
      PID:1308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      PID:5684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
      4⤵
      PID:5216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:6684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      PID:1924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
      4⤵
      PID:4652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
      4⤵
      PID:3720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
      4⤵
      PID:3808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:6816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      PID:4016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
      4⤵
      PID:3984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
      4⤵
      PID:4936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
      4⤵
      PID:6828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
      4⤵
      PID:6396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
      4⤵
      PID:5228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:5280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:3356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
      4⤵
      PID:3412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
      4⤵
      PID:5412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:6428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
      4⤵
      PID:6820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:1332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      Clears Windows event logs
      PID:6076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
      4⤵
      PID:5516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:6432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
      4⤵
      PID:5460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
      4⤵
      PID:5672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
      4⤵
      PID:2172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
      4⤵
      PID:5344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
      4⤵
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
      4⤵
      PID:604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
      4⤵
      PID:3404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
      4⤵
      PID:4700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
      4⤵
      PID:6884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
      4⤵
      PID:5992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
      4⤵
      PID:5160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
      4⤵
      PID:5924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
      4⤵
      PID:1832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:5152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      Clears Windows event logs
      PID:2376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
      4⤵
      PID:6528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      PID:5972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:5232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:1660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
      4⤵
      PID:3124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
      4⤵
      PID:6476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
      4⤵
      PID:2276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      PID:2908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
      4⤵
      PID:2352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:6224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      PID:7060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
      4⤵
      PID:1900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
      4⤵
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:5984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
      4⤵
      PID:5008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
      4⤵
      PID:7096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
      4⤵
      PID:6176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:7004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
      4⤵
      PID:6940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
      4⤵
      PID:6632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
      4⤵
      PID:6064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
      4⤵
      PID:2300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
      4⤵
      PID:6096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
      4⤵
      PID:6108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
      4⤵
      PID:4800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
      4⤵
      PID:6028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
      4⤵
      PID:1096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
      4⤵
      Clears Windows event logs
      PID:6000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
      4⤵
      PID:6888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
      4⤵
      PID:2740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:5976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:2292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:1104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:6156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
      4⤵
      PID:6232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
      4⤵
      PID:2100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
      4⤵
      PID:6132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
      4⤵
      PID:7020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
      4⤵
      PID:6484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
      4⤵
      PID:6664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
      4⤵
      PID:3084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      PID:6948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      PID:6932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      PID:4892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
      4⤵
      PID:6544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      PID:4160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
      4⤵
      PID:6624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:4412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:6444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:3056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
      4⤵
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      PID:6752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
      4⤵
      PID:3660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
      4⤵
      PID:7056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
      4⤵
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      PID:2440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      Clears Windows event logs
      PID:4984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:6740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
      4⤵
      Clears Windows event logs
      PID:3912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
      4⤵
      PID:4492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
      4⤵
      PID:2236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
      4⤵
      PID:4440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
      4⤵
      Clears Windows event logs
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
      4⤵
      Clears Windows event logs
      PID:3940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
      4⤵
      PID:6400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
      4⤵
      PID:6784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
      4⤵
      PID:5880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
      4⤵
      Clears Windows event logs
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
      4⤵
      PID:6312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
      4⤵
      PID:2288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
      4⤵
      Clears Windows event logs
      PID:420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
      4⤵
      PID:6724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
      4⤵
      Clears Windows event logs
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
      4⤵
      PID:300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
      4⤵
      PID:316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
      4⤵
      PID:4572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
      4⤵
      PID:3668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
      4⤵
      PID:5720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
      4⤵
      PID:2336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
      4⤵
      PID:2448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
      4⤵
      PID:6668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
      4⤵
      PID:1888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
      4⤵
      PID:4916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
      4⤵
      PID:2684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
      4⤵
      PID:2348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
      4⤵
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:5848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      PID:3048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
      4⤵
      PID:3832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
      4⤵
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:1388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:6936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
      4⤵
      PID:2420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
      4⤵
      PID:5692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
      4⤵
      PID:4660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
      4⤵
      PID:6260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
      4⤵
      PID:4920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
      4⤵
      PID:5856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
      4⤵
      PID:6012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
      4⤵
      PID:6324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
      4⤵
      PID:6620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
      4⤵
      Clears Windows event logs
      PID:2012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
      4⤵
      PID:6660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
      4⤵
      PID:6480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      PID:4452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
      4⤵
      PID:5960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
      4⤵
      PID:3884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
      4⤵
      PID:5148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
      4⤵
      PID:7152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
      4⤵
      Clears Windows event logs
      PID:6972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
      4⤵
      PID:5776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
      4⤵
      PID:2232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
      4⤵
      PID:6296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
      4⤵
      PID:5272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
      4⤵
      PID:476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
      4⤵
      PID:3692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:2432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:6036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:4444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      PID:5404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
      4⤵
      PID:6276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      PID:6332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      PID:5224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
      4⤵
      PID:3864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:5688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      PID:5332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
      4⤵
      PID:5352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      PID:6280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
      4⤵
      PID:5180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:6052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
      4⤵
      PID:656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
      4⤵
      Clears Windows event logs
      PID:4508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
      4⤵
      PID:5420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:4344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
      4⤵
      PID:4592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
      4⤵
      PID:2052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
      4⤵
      PID:1248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:5896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:2164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
      4⤵
      PID:2940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
      4⤵
      PID:5576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      PID:5872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
      4⤵
      PID:3892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
      4⤵
      PID:2284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
      4⤵
      PID:2028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
      4⤵
      PID:2528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
      4⤵
      PID:2664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
      4⤵
      PID:2712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
      4⤵
      Clears Windows event logs
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
      4⤵
      PID:5616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
      4⤵
      PID:1188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:6496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:5928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
      4⤵
      PID:5704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
      4⤵
      PID:4948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
      4⤵
      PID:864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
      4⤵
      PID:5132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
      4⤵
      PID:5252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
      4⤵
      PID:1176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
      4⤵
      Clears Windows event logs
      PID:6048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:2900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
      4⤵
      PID:7028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
      4⤵
      PID:5996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
      4⤵
      PID:2836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
      4⤵
      PID:4816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
      4⤵
      PID:6852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
      4⤵
      PID:6568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
      4⤵
      PID:4392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
      4⤵
      PID:3460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
      4⤵
      PID:3000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
      4⤵
      PID:5656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
      4⤵
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
      4⤵
      PID:6976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
      4⤵
      PID:3772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
      4⤵
      Clears Windows event logs
      PID:5980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
      4⤵
      PID:6804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-NvmeDisk/Analytic"
      4⤵
      PID:3132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-NvmeDisk/Diagnose"
      4⤵
      PID:1032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-NvmeDisk/Operational"
      4⤵
      PID:1980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
      4⤵
      PID:3108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
      4⤵
      PID:3284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
      4⤵
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
      4⤵
      PID:5228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
      4⤵
      PID:5280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
      4⤵
      PID:3356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
      4⤵
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement-PartUtil/Operational"
      4⤵
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
      4⤵
      PID:3412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
      4⤵
      PID:1432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Api/Operational"
      4⤵
      PID:6428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
      4⤵
      PID:6820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
      4⤵
      PID:1332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
      4⤵
      PID:6076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
      4⤵
      PID:5516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Parser/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Parser/Operational"
      4⤵
      PID:6432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
      4⤵
      PID:5460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Store/Operational"
      4⤵
      PID:5672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
      4⤵
      PID:2172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:5344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
      4⤵
      Clears Windows event logs
      PID:2696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
      4⤵
      PID:604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
      4⤵
      PID:3136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:6080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
      4⤵
      PID:5316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
      4⤵
      PID:4864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
      4⤵
      PID:6040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
      4⤵
      PID:6044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:5144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
      4⤵
      PID:3448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      PID:6472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:3788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      PID:5748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
      4⤵
      PID:5372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
      4⤵
      PID:6736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
      4⤵
      PID:6008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
      4⤵
      PID:1648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
      4⤵
      PID:3408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
      4⤵
      PID:3952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
      4⤵
      PID:6592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:5500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      PID:1900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
      4⤵
      PID:4328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      PID:6448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:6688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TenantRestrictions/Operational"
      4⤵
      PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:7048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      PID:4996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:6468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      PID:6056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      PID:2152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      PID:5492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:2936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
      4⤵
      PID:6824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
      4⤵
      PID:6292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
      4⤵
      PID:6376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
      4⤵
      PID:7108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:6868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      PID:5512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      PID:6172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      PID:6956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      PID:640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
      4⤵
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
      4⤵
      PID:6328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
      4⤵
      PID:5360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
      4⤵
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
      4⤵
      PID:6756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
      4⤵
      PID:7008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
      4⤵
      PID:6728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
      4⤵
      PID:912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
      4⤵
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
      4⤵
      PID:6348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
      4⤵
      PID:568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
      4⤵
      PID:6556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
      4⤵
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
      4⤵
      PID:6928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
      4⤵
      PID:1396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
      4⤵
      PID:6016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
      4⤵
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
      4⤵
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
      4⤵
      PID:2500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
      4⤵
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
      4⤵
      PID:3856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
      4⤵
      PID:2540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
      4⤵
      PID:4608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
      4⤵
      PID:4524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
      4⤵
      PID:2736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
      4⤵
      PID:4808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
      4⤵
      PID:4952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
      4⤵
      PID:3940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
      4⤵
      PID:1656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
      4⤵
      PID:6808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
      4⤵
      PID:4912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
      4⤵
      PID:1316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
      4⤵
      PID:6152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
      4⤵
      PID:1612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
      4⤵
      PID:6964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
      4⤵
      PID:6288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
      4⤵
      PID:300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
      4⤵
      PID:316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
      4⤵
      PID:4572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
      4⤵
      PID:3668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
      4⤵
      PID:6988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
      4⤵
      PID:5988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
      4⤵
      PID:2476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
      4⤵
      PID:6240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
      4⤵
      PID:2952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
      4⤵
      PID:6640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
      4⤵
      PID:6424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
      4⤵
      PID:6212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
      4⤵
      PID:5736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
      4⤵
      PID:3100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
      4⤵
      PID:4032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
      4⤵
      PID:5236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
      4⤵
      PID:5676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
      4⤵
      PID:5368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
      4⤵
      PID:2680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
      4⤵
      PID:5448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
      4⤵
      PID:7156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
      4⤵
      PID:3504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
      4⤵
      PID:2124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
      4⤵
      Clears Windows event logs
      PID:2808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
      4⤵
      PID:6516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
      4⤵
      PID:3164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
      4⤵
      PID:3040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
      4⤵
      PID:6284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
      4⤵
      PID:5176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
      4⤵
      PID:5580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
      4⤵
      PID:6364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
      4⤵
      PID:4212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
      4⤵
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
      4⤵
      PID:6840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
      4⤵
      PID:6576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
      4⤵
      PID:5148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
      4⤵
      PID:5884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
      4⤵
      PID:2436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
      4⤵
      PID:2204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
      4⤵
      Clears Windows event logs
      PID:6616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
      4⤵
      PID:4696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
      4⤵
      PID:5292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
      4⤵
      PID:884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
      4⤵
      PID:5196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
      4⤵
      PID:4940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
      4⤵
      PID:5820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-CFE/Diagnostic"
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
      4⤵
      PID:1368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
      4⤵
      PID:5556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
      4⤵
      PID:6068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Operational"
      4⤵
      PID:4724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Operational"
      4⤵
      PID:3148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebAuth/Operational"
      4⤵
      Clears Windows event logs
      PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\CriticalBreachDetected.pdf

Filesize
111KB

MD5
bae4e959e5862e891b972f2c9116701e

SHA1
1403d8ed28ac069abfdfe9a2036a74d52a7c7494

SHA256
37c8633ee17bdf7ae21a547fee680920c720e9d32d03dd6dd217805de4d487e6

SHA512
98e831104c57c70f6af75fe6179f558b3cafd201b355176e8c47abd68592725fb43f30e967e3cf93d3152e61eb77a89ba9fe5c55da205448a1930509949a3344

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cn4bmzgm.isb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/308-13234-0x00007FFF99BA0000-0x00007FFF9A662000-memory.dmp

Filesize
10.8MB

Download
memory/308-13235-0x0000013898440000-0x0000013898450000-memory.dmp

Filesize
64KB

Download
memory/308-13236-0x0000013898440000-0x0000013898450000-memory.dmp

Filesize
64KB

Download
memory/308-13242-0x00000138FFA60000-0x00000138FFA82000-memory.dmp

Filesize
136KB

Download
memory/308-13249-0x00007FFF99BA0000-0x00007FFF9A662000-memory.dmp

Filesize
10.8MB

Download
memory/1136-8394-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-13224-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-13225-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-13227-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1136-13246-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download