rhysida | b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692

Resubmissions

09-04-2024 07:34

240409-jebtcach7x 10

09-04-2024 07:33

09-04-2024 07:33

09-04-2024 07:33

16-12-2023 05:07

Analysis

max time kernel
315s
max time network
1589s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
09-04-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
Size

497KB
MD5

5f3ecd02a94cec2b62bfecd79f5a1d98
SHA1

2cd65d6d0cb10b8d061ee33133f0f98f86917265
SHA256

b55ecbddcbed916481ad537807cd3e33cb71814be6ce8e03eb63b629ccb8c692
SHA512

254949d3932a915394dec0eca359291baa8963e0cab55d28af02c678ce9841a3dad9b2d28e911f51655d8a52cf7d7379b446c0a2917b6e083abf95a1aa68dfee
SSDEEP

6144:rFoCbN9uRhQW8HnuYqWrJhN7L6aMFNYkS+D5gtuMf9opagj7T:IqnTp7N78Y5e5gUG9o/

Score

10^/10

rhysida evasion ransomware spyware stealer

Malware Config

Signatures

Detect Rhysida ransomware 5 IoCs

resource	yara_rule
behavioral2/memory/3816-8348-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral2/memory/3816-12394-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral2/memory/3816-12395-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral2/memory/3816-12396-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida
behavioral2/memory/3816-12406-0x0000000000400000-0x000000000048C000-memory.dmp	family_rhysida

Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
ransomware rhysida

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
7084	wevtutil.exe
208	wevtutil.exe
5736	wevtutil.exe
6384	wevtutil.exe
6936	wevtutil.exe
4064	wevtutil.exe
5820	Process not Found
5960	wevtutil.exe
5384	wevtutil.exe
6536	wevtutil.exe
3080	wevtutil.exe
3924	wevtutil.exe
6964	wevtutil.exe
4396	wevtutil.exe
3220	wevtutil.exe
220	wevtutil.exe
5500	wevtutil.exe
5968	wevtutil.exe
5184	wevtutil.exe
944	wevtutil.exe
512	wevtutil.exe
6508	wevtutil.exe
4684	wevtutil.exe
5476	wevtutil.exe
2572	wevtutil.exe
6376	wevtutil.exe
6048	wevtutil.exe
6212	wevtutil.exe
4552	wevtutil.exe
7032	wevtutil.exe
6772	wevtutil.exe
7084	wevtutil.exe
1864	wevtutil.exe
6220	wevtutil.exe
4044	wevtutil.exe
808	Process not Found
6564	Process not Found
7048	wevtutil.exe
5588	wevtutil.exe
5856	wevtutil.exe
7088	wevtutil.exe
6712	wevtutil.exe
4352	wevtutil.exe
6780	wevtutil.exe
3732	wevtutil.exe
5576	wevtutil.exe
6636	wevtutil.exe
5712	wevtutil.exe
5228	wevtutil.exe
4352	wevtutil.exe
1504	Process not Found
6512	wevtutil.exe
5436	wevtutil.exe
6476	wevtutil.exe
6776	wevtutil.exe
6020	wevtutil.exe
220	wevtutil.exe
6304	wevtutil.exe
4412	wevtutil.exe
380	wevtutil.exe
6464	wevtutil.exe
2036	wevtutil.exe
4248	wevtutil.exe
512	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7566) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg"	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Mozilla Firefox\fonts\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.2\en\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\zh-TW.pak.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Library\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\locale\co\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\cstm_brand_preview2x.png.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-default_32.svg.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\PowerPivotExcelClientAddIn.tlb.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Grace-ppd.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ul-oob.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Voices\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\new_icons_retina.png.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\basicelegant.dotx.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\MSWDS_FR.LEX.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\ui-strings.js.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon.png.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-125_8wekyb3d8bbwe\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-fr\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\CriticalBreachDetected.pdf	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_18.svg.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ja.pak.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT.rhysida	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5272	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6944	Process not Found

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1676	Process not Found
1676	Process not Found
1676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	6804	vssvc.exe
Token: SeRestorePrivilege	6804	vssvc.exe
Token: SeAuditPrivilege	6804	vssvc.exe
Token: SeSecurityPrivilege	5016	wevtutil.exe
Token: SeBackupPrivilege	5016	wevtutil.exe
Token: SeSecurityPrivilege	7112	wevtutil.exe
Token: SeBackupPrivilege	7112	wevtutil.exe
Token: SeSecurityPrivilege	3064	wevtutil.exe
Token: SeBackupPrivilege	3064	wevtutil.exe
Token: SeSecurityPrivilege	6652	wevtutil.exe
Token: SeBackupPrivilege	6652	wevtutil.exe
Token: SeSecurityPrivilege	6680	wevtutil.exe
Token: SeBackupPrivilege	6680	wevtutil.exe
Token: SeSecurityPrivilege	6660	wevtutil.exe
Token: SeBackupPrivilege	6660	wevtutil.exe
Token: SeSecurityPrivilege	1092	wevtutil.exe
Token: SeBackupPrivilege	1092	wevtutil.exe
Token: SeSecurityPrivilege	5296	wevtutil.exe
Token: SeBackupPrivilege	5296	wevtutil.exe
Token: SeSecurityPrivilege	4956	wevtutil.exe
Token: SeBackupPrivilege	4956	wevtutil.exe
Token: SeSecurityPrivilege	3476	wevtutil.exe
Token: SeBackupPrivilege	3476	wevtutil.exe
Token: SeSecurityPrivilege	4568	wevtutil.exe
Token: SeBackupPrivilege	4568	wevtutil.exe
Token: SeSecurityPrivilege	220	wevtutil.exe
Token: SeBackupPrivilege	220	wevtutil.exe
Token: SeSecurityPrivilege	1788	wevtutil.exe
Token: SeBackupPrivilege	1788	wevtutil.exe
Token: SeSecurityPrivilege	5836	wevtutil.exe
Token: SeBackupPrivilege	5836	wevtutil.exe
Token: SeSecurityPrivilege	5256	wevtutil.exe
Token: SeBackupPrivilege	5256	wevtutil.exe
Token: SeSecurityPrivilege	4456	wevtutil.exe
Token: SeBackupPrivilege	4456	wevtutil.exe
Token: SeSecurityPrivilege	808	wevtutil.exe
Token: SeBackupPrivilege	808	wevtutil.exe
Token: SeSecurityPrivilege	5316	wevtutil.exe
Token: SeBackupPrivilege	5316	wevtutil.exe
Token: SeSecurityPrivilege	2584	wevtutil.exe
Token: SeBackupPrivilege	2584	wevtutil.exe
Token: SeSecurityPrivilege	1824	wevtutil.exe
Token: SeBackupPrivilege	1824	wevtutil.exe
Token: SeSecurityPrivilege	5116	wevtutil.exe
Token: SeBackupPrivilege	5116	wevtutil.exe
Token: SeSecurityPrivilege	5076	wevtutil.exe
Token: SeBackupPrivilege	5076	wevtutil.exe
Token: SeSecurityPrivilege	6516	wevtutil.exe
Token: SeBackupPrivilege	6516	wevtutil.exe
Token: SeSecurityPrivilege	3264	wevtutil.exe
Token: SeBackupPrivilege	3264	wevtutil.exe
Token: SeSecurityPrivilege	1996	wevtutil.exe
Token: SeBackupPrivilege	1996	wevtutil.exe
Token: SeSecurityPrivilege	6796	wevtutil.exe
Token: SeBackupPrivilege	6796	wevtutil.exe
Token: SeSecurityPrivilege	3016	wevtutil.exe
Token: SeBackupPrivilege	3016	wevtutil.exe
Token: SeSecurityPrivilege	5152	wevtutil.exe
Token: SeBackupPrivilege	5152	wevtutil.exe
Token: SeSecurityPrivilege	6636	wevtutil.exe
Token: SeBackupPrivilege	6636	wevtutil.exe
Token: SeSecurityPrivilege	5424	wevtutil.exe
Token: SeBackupPrivilege	5424	wevtutil.exe
Token: SeSecurityPrivilege	4412	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 4496	3816	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	75
PID 3816 wrote to memory of 4496	3816	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	75
PID 4496 wrote to memory of 5824	4496	cmd.exe	77
PID 4496 wrote to memory of 5824	4496	cmd.exe	77
PID 5824 wrote to memory of 5272	5824	cmd.exe	78
PID 5824 wrote to memory of 5272	5824	cmd.exe	78
PID 3816 wrote to memory of 6572	3816	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	81
PID 3816 wrote to memory of 6572	3816	2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe	81
PID 6572 wrote to memory of 2160	6572	cmd.exe	83
PID 6572 wrote to memory of 2160	6572	cmd.exe	83
PID 2160 wrote to memory of 6476	2160	cmd.exe	84
PID 2160 wrote to memory of 6476	2160	cmd.exe	84
PID 6476 wrote to memory of 5016	6476	cmd.exe	85
PID 6476 wrote to memory of 5016	6476	cmd.exe	85
PID 2160 wrote to memory of 7112	2160	cmd.exe	86
PID 2160 wrote to memory of 7112	2160	cmd.exe	86
PID 2160 wrote to memory of 3064	2160	cmd.exe	87
PID 2160 wrote to memory of 3064	2160	cmd.exe	87
PID 2160 wrote to memory of 6652	2160	cmd.exe	88
PID 2160 wrote to memory of 6652	2160	cmd.exe	88
PID 2160 wrote to memory of 6680	2160	cmd.exe	89
PID 2160 wrote to memory of 6680	2160	cmd.exe	89
PID 2160 wrote to memory of 6660	2160	cmd.exe	90
PID 2160 wrote to memory of 6660	2160	cmd.exe	90
PID 2160 wrote to memory of 1092	2160	cmd.exe	91
PID 2160 wrote to memory of 1092	2160	cmd.exe	91
PID 2160 wrote to memory of 5296	2160	cmd.exe	92
PID 2160 wrote to memory of 5296	2160	cmd.exe	92
PID 2160 wrote to memory of 4956	2160	cmd.exe	93
PID 2160 wrote to memory of 4956	2160	cmd.exe	93
PID 2160 wrote to memory of 3476	2160	cmd.exe	94
PID 2160 wrote to memory of 3476	2160	cmd.exe	94
PID 2160 wrote to memory of 4568	2160	cmd.exe	95
PID 2160 wrote to memory of 4568	2160	cmd.exe	95
PID 2160 wrote to memory of 220	2160	cmd.exe	96
PID 2160 wrote to memory of 220	2160	cmd.exe	96
PID 2160 wrote to memory of 1788	2160	cmd.exe	97
PID 2160 wrote to memory of 1788	2160	cmd.exe	97
PID 2160 wrote to memory of 5836	2160	cmd.exe	98
PID 2160 wrote to memory of 5836	2160	cmd.exe	98
PID 2160 wrote to memory of 5256	2160	cmd.exe	99
PID 2160 wrote to memory of 5256	2160	cmd.exe	99
PID 2160 wrote to memory of 4456	2160	cmd.exe	100
PID 2160 wrote to memory of 4456	2160	cmd.exe	100
PID 2160 wrote to memory of 808	2160	cmd.exe	101
PID 2160 wrote to memory of 808	2160	cmd.exe	101
PID 2160 wrote to memory of 5316	2160	cmd.exe	102
PID 2160 wrote to memory of 5316	2160	cmd.exe	102
PID 2160 wrote to memory of 2584	2160	cmd.exe	103
PID 2160 wrote to memory of 2584	2160	cmd.exe	103
PID 2160 wrote to memory of 1824	2160	cmd.exe	104
PID 2160 wrote to memory of 1824	2160	cmd.exe	104
PID 2160 wrote to memory of 5116	2160	cmd.exe	105
PID 2160 wrote to memory of 5116	2160	cmd.exe	105
PID 2160 wrote to memory of 5076	2160	cmd.exe	106
PID 2160 wrote to memory of 5076	2160	cmd.exe	106
PID 2160 wrote to memory of 6516	2160	cmd.exe	107
PID 2160 wrote to memory of 6516	2160	cmd.exe	107
PID 2160 wrote to memory of 3264	2160	cmd.exe	108
PID 2160 wrote to memory of 3264	2160	cmd.exe	108
PID 2160 wrote to memory of 1996	2160	cmd.exe	109
PID 2160 wrote to memory of 1996	2160	cmd.exe	109
PID 2160 wrote to memory of 6796	2160	cmd.exe	110
PID 2160 wrote to memory of 6796	2160	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe
"C:\Users\Admin\AppData\Local\Temp\2023-12-10_5f3ecd02a94cec2b62bfecd79f5a1d98_rhysida.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5824
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:5272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6572
- - C:\Windows\system32\cmd.exe
    cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6476
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AirSpaceChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "FirstUXPerf-Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "General Logging"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "IHM_DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProcD3D"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationAsyncWrapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationContentProtection"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDS"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMediaEngine"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformanceCore"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      PID:2028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      PID:1692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationSrcPrefetch"
      4⤵
      Clears Windows event logs
      PID:5184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
      4⤵
      PID:4256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Admin"
      4⤵
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Debug"
      4⤵
      PID:4440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Operational"
      4⤵
      PID:504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      PID:5852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
      4⤵
      PID:6908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
      4⤵
      PID:1084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
      4⤵
      PID:5092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
      4⤵
      PID:6392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      PID:6816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:1344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
      4⤵
      PID:6368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:4352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      PID:1376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      PID:236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:6928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      Clears Windows event logs
      PID:6304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:6260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      PID:5604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:6780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      PID:2836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
      4⤵
      PID:6812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:6756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
      4⤵
      PID:7092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      PID:7156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:5712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      PID:5228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
      4⤵
      PID:6272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
      4⤵
      PID:5900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
      4⤵
      PID:4624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
      4⤵
      PID:6252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
      4⤵
      PID:6444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
      4⤵
      PID:6312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
      4⤵
      PID:6116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:5740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:6420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:6224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      PID:6512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
      4⤵
      PID:6212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
      4⤵
      PID:6268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
      4⤵
      PID:4356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
      4⤵
      Clears Windows event logs
      PID:7048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
      4⤵
      PID:6700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
      4⤵
      PID:6744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
      4⤵
      PID:164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
      4⤵
      Clears Windows event logs
      PID:4396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppSruProv"
      4⤵
      PID:6948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
      4⤵
      PID:3292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
      4⤵
      Clears Windows event logs
      PID:944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
      4⤵
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
      4⤵
      PID:6508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
      4⤵
      PID:6944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
      4⤵
      PID:5996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
      4⤵
      PID:6776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
      4⤵
      PID:6920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:7064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:6300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:5812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:5936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
      4⤵
      PID:1100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:5008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
      4⤵
      PID:748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:6524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:7140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:2168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
      4⤵
      PID:5804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
      4⤵
      PID:5580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
      4⤵
      PID:2300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
      4⤵
      PID:5960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
      4⤵
      PID:2832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
      4⤵
      PID:3880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
      4⤵
      PID:6340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
      4⤵
      PID:6324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
      4⤵
      PID:6748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
      4⤵
      PID:5860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
      4⤵
      PID:5728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:3656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
      4⤵
      PID:5524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
      4⤵
      PID:6976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:5512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:5800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
      4⤵
      PID:6240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      Clears Windows event logs
      PID:3220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:7032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
      4⤵
      PID:4400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
      4⤵
      PID:6732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
      4⤵
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:6532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
      4⤵
      PID:5808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
      4⤵
      PID:7060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
      4⤵
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:6932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
      4⤵
      PID:7044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
      4⤵
      PID:5908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
      4⤵
      PID:5596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
      4⤵
      PID:6740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:6064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
      4⤵
      PID:7108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      PID:1540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:32
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
      4⤵
      PID:5216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:1268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
      4⤵
      PID:7088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:1600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:3540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:6888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
      4⤵
      PID:5360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:5212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:6644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:5964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:5448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:4384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:6124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
      4⤵
      PID:5976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
      4⤵
      PID:6088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Call"
      4⤵
      PID:6760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
      4⤵
      PID:3484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
      4⤵
      PID:1348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
      4⤵
      PID:6936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:5628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
      4⤵
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
      4⤵
      PID:2532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:2984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"
      4⤵
      PID:5844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"
      4⤵
      Clears Windows event logs
      PID:4552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
      4⤵
      PID:2976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
      4⤵
      PID:3892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:2416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:4980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:5572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
      4⤵
      PID:1844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
      4⤵
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
      4⤵
      Clears Windows event logs
      PID:512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
      4⤵
      PID:404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
      4⤵
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
      4⤵
      PID:4648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
      4⤵
      PID:5656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
      4⤵
      PID:5140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
      4⤵
      PID:5732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
      4⤵
      PID:5500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
      4⤵
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:5820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
      4⤵
      PID:1108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:6428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
      4⤵
      PID:2328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
      4⤵
      PID:264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
      4⤵
      PID:280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
      4⤵
      PID:3884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
      4⤵
      PID:5472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:3732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
      4⤵
      PID:4968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:5536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:6916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
      4⤵
      PID:5148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
      4⤵
      PID:6476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
      4⤵
      PID:6652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
      4⤵
      PID:6680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
      4⤵
      PID:6660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:1336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
      4⤵
      PID:7144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
      4⤵
      PID:4568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:2412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:5836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:5256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:4456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
      4⤵
      PID:808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
      4⤵
      PID:5316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
      4⤵
      PID:2584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:5464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
      4⤵
      PID:6516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
      4⤵
      PID:3264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
      4⤵
      PID:6400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
      4⤵
      PID:1996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:5152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
      4⤵
      PID:6636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
      4⤵
      PID:5424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
      4⤵
      Clears Windows event logs
      PID:4412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
      4⤵
      PID:2028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
      4⤵
      PID:1692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
      4⤵
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
      4⤵
      PID:5184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
      4⤵
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
      4⤵
      PID:4440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
      4⤵
      PID:504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
      4⤵
      PID:5852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:6908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:1084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:6592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:5092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
      4⤵
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:6816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:1344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:6368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:4352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:1376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
      4⤵
      PID:5460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:3480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:6928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:6100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:6304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:5604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      Clears Windows event logs
      PID:6780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:2836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:4024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:6696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:6756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:7092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:7156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      Clears Windows event logs
      PID:5712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      Clears Windows event logs
      PID:5228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:6272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:5900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:4624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:6252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:6444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:6312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:6116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:5740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:6420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:6224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      Clears Windows event logs
      PID:6512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:6212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:6268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:4356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
      4⤵
      PID:7048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
      4⤵
      PID:6984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
      4⤵
      PID:6700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
      4⤵
      PID:164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
      4⤵
      PID:5416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
      4⤵
      PID:6948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:3292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
      4⤵
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
      4⤵
      PID:6508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      PID:6944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:5996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      Clears Windows event logs
      PID:6776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:6920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
      4⤵
      PID:7064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
      4⤵
      PID:6300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
      4⤵
      PID:5812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
      4⤵
      PID:5936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:1100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:4320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:6096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
      4⤵
      PID:748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:7140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
      4⤵
      PID:2168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
      4⤵
      PID:1452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
      4⤵
      PID:5580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
      4⤵
      PID:2300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
      4⤵
      PID:2832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:3880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:6340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
      4⤵
      PID:6324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:6748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
      4⤵
      PID:5860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
      4⤵
      PID:4144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
      4⤵
      PID:5728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:5524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
      4⤵
      PID:6976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
      4⤵
      PID:5512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:5748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:5800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:3220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
      4⤵
      Clears Windows event logs
      PID:7032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
      4⤵
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
      4⤵
      PID:4400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
      4⤵
      PID:6732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EmbeddedAppLauncher/Admin"
      4⤵
      PID:6532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EmbeddedAppLauncher/Operational"
      4⤵
      PID:5808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
      4⤵
      PID:7060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
      4⤵
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
      4⤵
      PID:5436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:6932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:5908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:6328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:5596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      Clears Windows event logs
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      Clears Windows event logs
      PID:5588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:6452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
      4⤵
      PID:5216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
      4⤵
      PID:1268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
      4⤵
      PID:7088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
      4⤵
      PID:4672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
      4⤵
      PID:1600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
      4⤵
      PID:3540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
      4⤵
      PID:6888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
      4⤵
      PID:4688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
      4⤵
      PID:5360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
      4⤵
      PID:6644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
      4⤵
      PID:5964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
      4⤵
      PID:5448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
      4⤵
      PID:5768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
      4⤵
      PID:6124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
      4⤵
      PID:5624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:5764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:6008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:2556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FontGroups/Diagnostic"
      4⤵
      PID:5892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:1348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
      4⤵
      Clears Windows event logs
      PID:6536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
      4⤵
      PID:1528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      Clears Windows event logs
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:5544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:2532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:5284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
      4⤵
      PID:5844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:4552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:1356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:2976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:2416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:4980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
      4⤵
      PID:4092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
      4⤵
      PID:5572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
      4⤵
      PID:4408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      Clears Windows event logs
      PID:512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
      4⤵
      PID:404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
      4⤵
      PID:4640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
      4⤵
      PID:4648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
      4⤵
      PID:5656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
      4⤵
      PID:5140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
      4⤵
      PID:5732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      Clears Windows event logs
      PID:5500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      Clears Windows event logs
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
      4⤵
      PID:5156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
      4⤵
      PID:5820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
      4⤵
      PID:1108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
      4⤵
      PID:6428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
      4⤵
      PID:268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
      4⤵
      PID:292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
      4⤵
      PID:5080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
      4⤵
      PID:5144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
      4⤵
      PID:912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
      4⤵
      PID:4496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
      4⤵
      PID:1984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:6668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
      4⤵
      PID:5528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
      4⤵
      PID:3616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
      4⤵
      PID:740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
      4⤵
      PID:7120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
      4⤵
      PID:6576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:5188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International/Operational"
      4⤵
      PID:5296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:5128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:2480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:6688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
      4⤵
      PID:1548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
      4⤵
      PID:6664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
      4⤵
      PID:2456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
      4⤵
      PID:5780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
      4⤵
      PID:5220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
      4⤵
      PID:1428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      Clears Windows event logs
      PID:5476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:6904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
      4⤵
      PID:5404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
      4⤵
      PID:5264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
      4⤵
      PID:5236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
      4⤵
      PID:5392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:7036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:6004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
      4⤵
      PID:5840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
      4⤵
      PID:6412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
      4⤵
      PID:6612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
      4⤵
      PID:1052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
      4⤵
      PID:424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:1868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:6964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:6392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:4104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:1364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
      4⤵
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
      4⤵
      PID:6544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
      4⤵
      PID:6404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:6384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:5600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:6280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:5904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:5700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:4332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
      4⤵
      PID:6288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:6372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:6812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
      4⤵
      PID:2368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
      4⤵
      PID:5328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
      4⤵
      PID:5680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:2840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:6308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:6276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:3344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguageProfile/Analytic"
      4⤵
      PID:6900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
      4⤵
      PID:4908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
      4⤵
      PID:1492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
      4⤵
      PID:5876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
      4⤵
      PID:6768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
      4⤵
      PID:6860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:6468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:2472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:2612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
      4⤵
      PID:6336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:6228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:6200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:5724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:4584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:6120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:1676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
      4⤵
      PID:4388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
      4⤵
      PID:7008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
      4⤵
      PID:2144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:6640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:5988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:5744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
      4⤵
      PID:7072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:6028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
      4⤵
      Clears Windows event logs
      PID:380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
      4⤵
      PID:6152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
      4⤵
      PID:4116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
      4⤵
      PID:7028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
      4⤵
      PID:6552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
      4⤵
      PID:916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
      4⤵
      PID:6092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Admin"
      4⤵
      Clears Windows event logs
      PID:5856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter/Analytic"
      4⤵
      PID:3600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:5872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
      4⤵
      PID:7040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:5984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:5704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:6016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:5864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:6844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NFC-Class-Extension/Analytical"
      4⤵
      PID:3880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      PID:6340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:6324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:2844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
      4⤵
      PID:6748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
      4⤵
      PID:4144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
      4⤵
      PID:7148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
      4⤵
      PID:2316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
      4⤵
      PID:5524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:5616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
      4⤵
      PID:5880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
      4⤵
      PID:5956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
      4⤵
      PID:4492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:5688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
      4⤵
      PID:5896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:6356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
      4⤵
      PID:6484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
      4⤵
      PID:2932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
      4⤵
      Clears Windows event logs
      PID:6048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
      4⤵
      Clears Windows event logs
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
      4⤵
      PID:5436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      PID:5776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
      4⤵
      PID:6848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:4628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      PID:6784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
      4⤵
      PID:6316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
      4⤵
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NvdimmN/Analytic"
      4⤵
      PID:1540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NvdimmN/Diagnostic"
      4⤵
      PID:2604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NvdimmN/Operational"
      4⤵
      PID:5268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
      4⤵
      PID:6060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:6012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      PID:6104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
      4⤵
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
      4⤵
      PID:7100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
      4⤵
      PID:6044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
      4⤵
      PID:6996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
      4⤵
      PID:4488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:6164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:7020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
      4⤵
      PID:5752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:6000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
      4⤵
      PID:4384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:2484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
      4⤵
      PID:6128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:5968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
      4⤵
      PID:3484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
      4⤵
      PID:2556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
      4⤵
      PID:5552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:6024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
      4⤵
      PID:6536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
      4⤵
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
      4⤵
      PID:4656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
      4⤵
      PID:5396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
      4⤵
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
      4⤵
      PID:4928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PmemDisk/Analytic"
      4⤵
      PID:2864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PmemDisk/Diagnostic"
      4⤵
      PID:3360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PmemDisk/Operational"
      4⤵
      PID:5792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
      4⤵
      PID:6560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
      4⤵
      Clears Windows event logs
      PID:3080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:5276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      PID:6160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      PID:6808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:4416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:2324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
      4⤵
      PID:3924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
      4⤵
      PID:5648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
      4⤵
      PID:1864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      PID:5656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
      4⤵
      PID:5164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PriResources-Deployment/Diagnostic"
      4⤵
      PID:5500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PriResources-Deployment/Operational"
      4⤵
      PID:4036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      PID:5168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintDialogs/Analytic"
      4⤵
      PID:5652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintDialogs3D/Analytic"
      4⤵
      PID:6692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
      4⤵
      PID:1876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:1388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
      4⤵
      PID:5948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:5480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
      4⤵
      PID:264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
      4⤵
      PID:3884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
      4⤵
      PID:5472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
      4⤵
      Clears Windows event logs
      PID:3732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
      4⤵
      PID:4968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
      4⤵
      PID:5536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
      4⤵
      PID:6916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
      4⤵
      PID:5148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
      4⤵
      PID:6476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
      4⤵
      PID:1264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:6680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:6660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:4956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:1336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
      4⤵
      PID:2480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
      4⤵
      PID:3788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
      4⤵
      PID:6664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
      4⤵
      PID:2456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:5780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      PID:5220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      PID:1428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      PID:5476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:6904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:5404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
      4⤵
      PID:5264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      PID:5236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
      4⤵
      PID:5392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
      4⤵
      PID:7036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
      4⤵
      PID:6004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
      4⤵
      PID:4256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
      4⤵
      PID:6412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:6612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      PID:424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:1868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
      4⤵
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
      4⤵
      PID:6964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
      4⤵
      PID:6392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
      4⤵
      PID:1364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
      4⤵
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
      4⤵
      PID:4352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
      4⤵
      PID:6544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
      4⤵
      PID:6868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
      4⤵
      PID:6384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
      4⤵
      PID:6856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SENSE/Operational"
      4⤵
      PID:5600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
      4⤵
      PID:5620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
      4⤵
      PID:6236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
      4⤵
      PID:6248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
      4⤵
      PID:6696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
      4⤵
      PID:7104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
      4⤵
      PID:5788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
      4⤵
      PID:6424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
      4⤵
      PID:6972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
      4⤵
      PID:5900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
      4⤵
      PID:6708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ScmBus/Analytic"
      4⤵
      PID:6632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ScmBus/Certification"
      4⤵
      PID:2312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ScmBus/Diagnose"
      4⤵
      Clears Windows event logs
      PID:6376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ScmBus/Operational"
      4⤵
      PID:6360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
      4⤵
      PID:6872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
      4⤵
      PID:2568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
      4⤵
      PID:2272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:5336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
      4⤵
      PID:2412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
      4⤵
      PID:6228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
      4⤵
      PID:5708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:6200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:4584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
      4⤵
      PID:7136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
      4⤵
      PID:6120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
      4⤵
      PID:1676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
      4⤵
      PID:4136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
      4⤵
      PID:4388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
      4⤵
      PID:7008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
      4⤵
      PID:2144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
      4⤵
      PID:6640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
      4⤵
      PID:5988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
      4⤵
      PID:5744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
      4⤵
      PID:7072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      PID:6028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
      4⤵
      PID:5868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
      4⤵
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
      4⤵
      PID:6152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
      4⤵
      PID:6588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
      4⤵
      PID:4116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
      4⤵
      PID:6552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
      4⤵
      PID:916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
      4⤵
      PID:6092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
      4⤵
      PID:5856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
      4⤵
      PID:3600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
      4⤵
      PID:5872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:7040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:5984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:5704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
      4⤵
      PID:304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
      4⤵
      PID:6016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
      4⤵
      PID:5864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
      4⤵
      PID:5760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
      4⤵
      PID:6196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
      4⤵
      PID:1180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
      4⤵
      Clears Windows event logs
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
      4⤵
      PID:6472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:2936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:5512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      PID:5928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      PID:5800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
      4⤵
      PID:5956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:5688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      PID:5896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:3296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
      4⤵
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      PID:5828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:2932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
      4⤵
      PID:6048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
      4⤵
      Clears Windows event logs
      PID:5436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:6736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
      4⤵
      PID:6388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
      4⤵
      PID:6208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:2180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
      4⤵
      PID:6828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
      4⤵
      PID:5884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Search-UriHandler"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:1972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
      4⤵
      PID:5940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
      4⤵
      PID:644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      PID:1268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:7088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
      4⤵
      PID:6788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
      4⤵
      PID:1600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
      4⤵
      PID:5408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
      4⤵
      PID:5468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
      4⤵
      PID:692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
      4⤵
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
      4⤵
      PID:6072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:1176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:6676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
      4⤵
      PID:5976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
      4⤵
      PID:5624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
      4⤵
      PID:5764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
      4⤵
      PID:6548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
      4⤵
      PID:5968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
      4⤵
      PID:1432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
      4⤵
      PID:6936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
      4⤵
      PID:3484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:6024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
      4⤵
      PID:6536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
      4⤵
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
      4⤵
      PID:4656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
      4⤵
      PID:5396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
      4⤵
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
      4⤵
      PID:6432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
      4⤵
      PID:4928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
      4⤵
      Clears Windows event logs
      PID:5576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
      4⤵
      PID:3360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
      4⤵
      PID:6560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
      4⤵
      PID:3080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
      4⤵
      PID:5276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
      4⤵
      PID:6160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
      4⤵
      PID:6464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
      4⤵
      PID:6808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
      4⤵
      PID:4416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
      4⤵
      PID:2324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
      4⤵
      Clears Windows event logs
      PID:3924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
      4⤵
      PID:5648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
      4⤵
      Clears Windows event logs
      PID:1864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
      4⤵
      PID:5656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
      4⤵
      PID:5164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
      4⤵
      PID:5500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
      4⤵
      PID:4036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
      4⤵
      Clears Windows event logs
      PID:5736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
      4⤵
      PID:5352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Store/Operational"
      4⤵
      PID:204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:1108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      PID:6428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
      4⤵
      PID:5480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
      4⤵
      PID:284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
      4⤵
      PID:5472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
      4⤵
      PID:3732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
      4⤵
      PID:4968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
      4⤵
      PID:5536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
      4⤵
      PID:6916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:5148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
      4⤵
      Clears Windows event logs
      PID:6476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:1264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      PID:6680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
      4⤵
      PID:5296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
      4⤵
      PID:4956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
      4⤵
      PID:1336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
      4⤵
      PID:4500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
      4⤵
      PID:1548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:2512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      PID:6204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
      4⤵
      PID:5232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      PID:6540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:4040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:6924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      PID:6836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:6516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      PID:3264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:6400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:1996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      PID:5152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      Clears Windows event logs
      PID:6636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      PID:5424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:6824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
      4⤵
      PID:2028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
      4⤵
      PID:5840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
      4⤵
      PID:5196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
      4⤵
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      PID:1052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:6612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      PID:424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      PID:1868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      Clears Windows event logs
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
      4⤵
      Clears Windows event logs
      PID:6964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
      4⤵
      PID:4104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
      4⤵
      PID:4076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
      4⤵
      PID:1364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
      4⤵
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
      4⤵
      Clears Windows event logs
      PID:4352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
      4⤵
      PID:6544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
      4⤵
      PID:6868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
      4⤵
      PID:6856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
      4⤵
      PID:4864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
      4⤵
      PID:4332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
      4⤵
      PID:6236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
      4⤵
      PID:6248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
      4⤵
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
      4⤵
      PID:6696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
      4⤵
      PID:7104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
      4⤵
      PID:5788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
      4⤵
      PID:6424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
      4⤵
      PID:6972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
      4⤵
      PID:980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
      4⤵
      PID:5900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
      4⤵
      PID:4908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
      4⤵
      PID:6708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
      4⤵
      PID:2312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
      4⤵
      PID:6376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
      4⤵
      PID:6360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
      4⤵
      PID:6872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
      4⤵
      PID:2568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
      4⤵
      PID:2272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
      4⤵
      PID:6336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
      4⤵
      Clears Windows event logs
      PID:6212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
      4⤵
      PID:4708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
      4⤵
      PID:4356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
      4⤵
      PID:1456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
      4⤵
      PID:6984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
      4⤵
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
      4⤵
      PID:1016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
      4⤵
      PID:7004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
      4⤵
      PID:4560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
      4⤵
      PID:6496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
      4⤵
      PID:6264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
      4⤵
      PID:6968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
      4⤵
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
      4⤵
      Clears Windows event logs
      PID:6508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VIRTDISK/Operational"
      4⤵
      PID:6108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
      4⤵
      PID:868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
      4⤵
      PID:6752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
      4⤵
      PID:380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
      4⤵
      PID:7064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
      4⤵
      PID:5068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
      4⤵
      PID:7028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
      4⤵
      PID:6840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
      4⤵
      PID:1100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
      4⤵
      PID:4320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
      4⤵
      PID:4860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
      4⤵
      PID:7016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
      4⤵
      PID:7140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
      4⤵
      PID:5804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
      4⤵
      PID:1452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
      4⤵
      PID:5580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
      4⤵
      PID:5904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
      4⤵
      PID:304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
      4⤵
      PID:6016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
      4⤵
      PID:5864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
      4⤵
      PID:5760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
      4⤵
      PID:6196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
      4⤵
      PID:1180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
      4⤵
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
      4⤵
      PID:6472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
      4⤵
      PID:2936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
      4⤵
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
      4⤵
      PID:5512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
      4⤵
      PID:5952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
      4⤵
      PID:5928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
      4⤵
      PID:5956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
      4⤵
      PID:5688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
      4⤵
      PID:5896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
      4⤵
      PID:3296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
      4⤵
      PID:5808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-CFE/Diagnostic"
      4⤵
      PID:5828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
      4⤵
      PID:2932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
      4⤵
      PID:6048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
      4⤵
      PID:5436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Operational"
      4⤵
      PID:5908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Diagnostic"
      4⤵
      PID:6328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Operational"
      4⤵
      PID:5596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebAuth/Operational"
      4⤵
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
      4⤵
      PID:2180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
      4⤵
      PID:364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebPlatStorage-Server"
      4⤵
      PID:5588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
      4⤵
      PID:2816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebcamProvider/Analytic"
      4⤵
      PID:5308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Websocket-Protocol-Component/Tracing"
      4⤵
      PID:5216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WiFiDisplay/Analytic"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
      4⤵
      Clears Windows event logs
      PID:4684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Contention"
      4⤵
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Messages"
      4⤵
      PID:6952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Operational"
      4⤵
      PID:5492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
      4⤵
      PID:1048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
      4⤵
      PID:5212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
      4⤵
      PID:4688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
      4⤵
      Clears Windows event logs
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
      4⤵
      PID:5412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
      4⤵
      PID:5964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinINet-Capture/Analytic"
      4⤵
      PID:5752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinINet-Config/ProxyConfigChanged"
      4⤵
      PID:5972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
      4⤵
      PID:6760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinINet/UsageLog"
      4⤵
      PID:6128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinINet/WebSocket"
      4⤵
      PID:5624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinMDE/MDE"
      4⤵
      PID:6548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinNat/Oper"
      4⤵
      PID:5968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinNat/Trace"
      4⤵
      PID:1432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
      4⤵
      Clears Windows event logs
      PID:6936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
      4⤵
      PID:5240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
      4⤵
      PID:5668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinURLMon/Analytic"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
      4⤵
      PID:3088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\CriticalBreachDetected.pdf

Filesize
111KB

MD5
bae4e959e5862e891b972f2c9116701e

SHA1
1403d8ed28ac069abfdfe9a2036a74d52a7c7494

SHA256
37c8633ee17bdf7ae21a547fee680920c720e9d32d03dd6dd217805de4d487e6

SHA512
98e831104c57c70f6af75fe6179f558b3cafd201b355176e8c47abd68592725fb43f30e967e3cf93d3152e61eb77a89ba9fe5c55da205448a1930509949a3344

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnhxsnm5.u3q.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
memory/1676-12403-0x00007FFEF8E30000-0x00007FFEF981C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-12429-0x00007FFEF8E30000-0x00007FFEF981C000-memory.dmp

Filesize
9.9MB

Download
memory/1676-12425-0x000001BB2B6E0000-0x000001BB2B6F0000-memory.dmp

Filesize
64KB

Download
memory/1676-12405-0x000001BB2B6E0000-0x000001BB2B6F0000-memory.dmp

Filesize
64KB

Download
memory/1676-12410-0x000001BB2B870000-0x000001BB2B8E6000-memory.dmp

Filesize
472KB

Download
memory/1676-12407-0x000001BB2B6E0000-0x000001BB2B6F0000-memory.dmp

Filesize
64KB

Download
memory/1676-12404-0x000001BB2B640000-0x000001BB2B662000-memory.dmp

Filesize
136KB

Download
memory/3816-12395-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3816-12406-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3816-12396-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3816-12394-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/3816-8348-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download