0ac974d2bc2f50f02685dd576f0e1e0a200dd877259057100be62f78bef9f335

Analysis

max time kernel
60s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cleaner.bat
Size

6KB
MD5

7491a6ad3e6f3be578e6bf7d53be67be
SHA1

49b58131196a6fa137a0f876df02cf7a2d392206
SHA256

0ac974d2bc2f50f02685dd576f0e1e0a200dd877259057100be62f78bef9f335
SHA512

299044beb11523c85029848f4b86470978c4a33105cdfc6c152120f1f2d8cb6952f8c35a6c14b04ccc4745860c7bea5aee446e89a8a4457501c0b22ee8b4a21d
SSDEEP

96:u8SCKCF5iixhyCKCF5iixhl6yZFCKCF5iixhJPIwWCPycZLcZd5h1p1A151uDa7O:u8xAPCaP8Ye

Score

9^/10

discovery evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2916	wevtutil.exe
3356	wevtutil.exe
2092	wevtutil.exe
2508	wevtutil.exe
4840	wevtutil.exe
1284	wevtutil.exe
4484	wevtutil.exe
3432	wevtutil.exe
4244	wevtutil.exe
2756	wevtutil.exe
3712	wevtutil.exe
4356	wevtutil.exe
8	wevtutil.exe
4836	wevtutil.exe
2992	wevtutil.exe
1624	wevtutil.exe
392	wevtutil.exe
4932	wevtutil.exe
3828	wevtutil.exe
416	wevtutil.exe
2992	wevtutil.exe
1100	wevtutil.exe
960	wevtutil.exe
4844	wevtutil.exe
3104	wevtutil.exe
2240	wevtutil.exe
652	wevtutil.exe
4696	wevtutil.exe
912	wevtutil.exe
3884	wevtutil.exe
4208	wevtutil.exe
1780	wevtutil.exe
1988	wevtutil.exe
4592	wevtutil.exe
5072	wevtutil.exe
1728	wevtutil.exe
1312	wevtutil.exe
4060	wevtutil.exe
4256	wevtutil.exe
3472	wevtutil.exe
4008	wevtutil.exe
3500	wevtutil.exe
4716	wevtutil.exe
512	wevtutil.exe
4312	wevtutil.exe
4544	wevtutil.exe
1480	wevtutil.exe
5096	wevtutil.exe
3320	wevtutil.exe
2576	wevtutil.exe
1112	wevtutil.exe
2872	wevtutil.exe
3224	wevtutil.exe
1100	wevtutil.exe
2576	wevtutil.exe
1796	wevtutil.exe
2060	wevtutil.exe
3144	wevtutil.exe
3904	wevtutil.exe
3964	wevtutil.exe
4548	wevtutil.exe
1968	wevtutil.exe
4756	wevtutil.exe
3500	wevtutil.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4356	PING.EXE
2136	PING.EXE

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4356	PING.EXE
2136	PING.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4224	wevtutil.exe
Token: SeBackupPrivilege	4224	wevtutil.exe
Token: SeSecurityPrivilege	2648	wevtutil.exe
Token: SeBackupPrivilege	2648	wevtutil.exe
Token: SeSecurityPrivilege	5084	wevtutil.exe
Token: SeBackupPrivilege	5084	wevtutil.exe
Token: SeSecurityPrivilege	5108	wevtutil.exe
Token: SeBackupPrivilege	5108	wevtutil.exe
Token: SeSecurityPrivilege	1100	wevtutil.exe
Token: SeBackupPrivilege	1100	wevtutil.exe
Token: SeSecurityPrivilege	4972	wevtutil.exe
Token: SeBackupPrivilege	4972	wevtutil.exe
Token: SeSecurityPrivilege	2992	wevtutil.exe
Token: SeBackupPrivilege	2992	wevtutil.exe
Token: SeSecurityPrivilege	1968	wevtutil.exe
Token: SeBackupPrivilege	1968	wevtutil.exe
Token: SeSecurityPrivilege	4740	wevtutil.exe
Token: SeBackupPrivilege	4740	wevtutil.exe
Token: SeSecurityPrivilege	2060	wevtutil.exe
Token: SeBackupPrivilege	2060	wevtutil.exe
Token: SeSecurityPrivilege	4676	wevtutil.exe
Token: SeBackupPrivilege	4676	wevtutil.exe
Token: SeSecurityPrivilege	1748	wevtutil.exe
Token: SeBackupPrivilege	1748	wevtutil.exe
Token: SeSecurityPrivilege	1500	wevtutil.exe
Token: SeBackupPrivilege	1500	wevtutil.exe
Token: SeSecurityPrivilege	1312	wevtutil.exe
Token: SeBackupPrivilege	1312	wevtutil.exe
Token: SeSecurityPrivilege	1340	wevtutil.exe
Token: SeBackupPrivilege	1340	wevtutil.exe
Token: SeSecurityPrivilege	2240	wevtutil.exe
Token: SeBackupPrivilege	2240	wevtutil.exe
Token: SeSecurityPrivilege	4756	wevtutil.exe
Token: SeBackupPrivilege	4756	wevtutil.exe
Token: SeSecurityPrivilege	3136	wevtutil.exe
Token: SeBackupPrivilege	3136	wevtutil.exe
Token: SeSecurityPrivilege	2576	wevtutil.exe
Token: SeBackupPrivilege	2576	wevtutil.exe
Token: SeSecurityPrivilege	512	wevtutil.exe
Token: SeBackupPrivilege	512	wevtutil.exe
Token: SeSecurityPrivilege	1240	wevtutil.exe
Token: SeBackupPrivilege	1240	wevtutil.exe
Token: SeSecurityPrivilege	4764	wevtutil.exe
Token: SeBackupPrivilege	4764	wevtutil.exe
Token: SeSecurityPrivilege	3428	wevtutil.exe
Token: SeBackupPrivilege	3428	wevtutil.exe
Token: SeSecurityPrivilege	3360	wevtutil.exe
Token: SeBackupPrivilege	3360	wevtutil.exe
Token: SeSecurityPrivilege	1048	wevtutil.exe
Token: SeBackupPrivilege	1048	wevtutil.exe
Token: SeSecurityPrivilege	448	wevtutil.exe
Token: SeBackupPrivilege	448	wevtutil.exe
Token: SeSecurityPrivilege	1084	wevtutil.exe
Token: SeBackupPrivilege	1084	wevtutil.exe
Token: SeSecurityPrivilege	2752	wevtutil.exe
Token: SeBackupPrivilege	2752	wevtutil.exe
Token: SeSecurityPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	8	wevtutil.exe
Token: SeSecurityPrivilege	4452	wevtutil.exe
Token: SeBackupPrivilege	4452	wevtutil.exe
Token: SeSecurityPrivilege	4592	wevtutil.exe
Token: SeBackupPrivilege	4592	wevtutil.exe
Token: SeSecurityPrivilege	1936	wevtutil.exe
Token: SeBackupPrivilege	1936	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4456	4232	cmd.exe	84
PID 4232 wrote to memory of 4456	4232	cmd.exe	84
PID 4232 wrote to memory of 4780	4232	cmd.exe	89
PID 4232 wrote to memory of 4780	4232	cmd.exe	89
PID 4232 wrote to memory of 4356	4232	cmd.exe	90
PID 4232 wrote to memory of 4356	4232	cmd.exe	90
PID 4232 wrote to memory of 2136	4232	cmd.exe	91
PID 4232 wrote to memory of 2136	4232	cmd.exe	91
PID 4232 wrote to memory of 1660	4232	cmd.exe	92
PID 4232 wrote to memory of 1660	4232	cmd.exe	92
PID 1660 wrote to memory of 4992	1660	cmd.exe	93
PID 1660 wrote to memory of 4992	1660	cmd.exe	93
PID 4232 wrote to memory of 2516	4232	cmd.exe	94
PID 4232 wrote to memory of 2516	4232	cmd.exe	94
PID 2516 wrote to memory of 4224	2516	cmd.exe	95
PID 2516 wrote to memory of 4224	2516	cmd.exe	95
PID 4232 wrote to memory of 2648	4232	cmd.exe	96
PID 4232 wrote to memory of 2648	4232	cmd.exe	96
PID 4232 wrote to memory of 5084	4232	cmd.exe	97
PID 4232 wrote to memory of 5084	4232	cmd.exe	97
PID 4232 wrote to memory of 5108	4232	cmd.exe	98
PID 4232 wrote to memory of 5108	4232	cmd.exe	98
PID 4232 wrote to memory of 1100	4232	cmd.exe	101
PID 4232 wrote to memory of 1100	4232	cmd.exe	101
PID 4232 wrote to memory of 4972	4232	cmd.exe	102
PID 4232 wrote to memory of 4972	4232	cmd.exe	102
PID 4232 wrote to memory of 2992	4232	cmd.exe	103
PID 4232 wrote to memory of 2992	4232	cmd.exe	103
PID 4232 wrote to memory of 1968	4232	cmd.exe	104
PID 4232 wrote to memory of 1968	4232	cmd.exe	104
PID 4232 wrote to memory of 4740	4232	cmd.exe	105
PID 4232 wrote to memory of 4740	4232	cmd.exe	105
PID 4232 wrote to memory of 2060	4232	cmd.exe	106
PID 4232 wrote to memory of 2060	4232	cmd.exe	106
PID 4232 wrote to memory of 4676	4232	cmd.exe	107
PID 4232 wrote to memory of 4676	4232	cmd.exe	107
PID 4232 wrote to memory of 1748	4232	cmd.exe	108
PID 4232 wrote to memory of 1748	4232	cmd.exe	108
PID 4232 wrote to memory of 1500	4232	cmd.exe	109
PID 4232 wrote to memory of 1500	4232	cmd.exe	109
PID 4232 wrote to memory of 1312	4232	cmd.exe	110
PID 4232 wrote to memory of 1312	4232	cmd.exe	110
PID 4232 wrote to memory of 1340	4232	cmd.exe	111
PID 4232 wrote to memory of 1340	4232	cmd.exe	111
PID 4232 wrote to memory of 2240	4232	cmd.exe	113
PID 4232 wrote to memory of 2240	4232	cmd.exe	113
PID 4232 wrote to memory of 4756	4232	cmd.exe	114
PID 4232 wrote to memory of 4756	4232	cmd.exe	114
PID 4232 wrote to memory of 3136	4232	cmd.exe	115
PID 4232 wrote to memory of 3136	4232	cmd.exe	115
PID 4232 wrote to memory of 2576	4232	cmd.exe	116
PID 4232 wrote to memory of 2576	4232	cmd.exe	116
PID 4232 wrote to memory of 512	4232	cmd.exe	117
PID 4232 wrote to memory of 512	4232	cmd.exe	117
PID 4232 wrote to memory of 1240	4232	cmd.exe	118
PID 4232 wrote to memory of 1240	4232	cmd.exe	118
PID 4232 wrote to memory of 4764	4232	cmd.exe	119
PID 4232 wrote to memory of 4764	4232	cmd.exe	119
PID 4232 wrote to memory of 3428	4232	cmd.exe	120
PID 4232 wrote to memory of 3428	4232	cmd.exe	120
PID 4232 wrote to memory of 3360	4232	cmd.exe	121
PID 4232 wrote to memory of 3360	4232	cmd.exe	121
PID 4232 wrote to memory of 1048	4232	cmd.exe	122
PID 4232 wrote to memory of 1048	4232	cmd.exe	122

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\cleaner.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\mode.com
  mode con: cols=85 lines=15
  2⤵
  PID:4456
- C:\Windows\system32\mode.com
  mode con: cols=83 lines=35
  2⤵
  PID:4780
- C:\Windows\system32\PING.EXE
  PING localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4356
- C:\Windows\system32\PING.EXE
  PING localhost -n 3
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\bcdedit.exe
    bcdedit
    3⤵
    PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wevtutil.exe el
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe el
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AMSI/Debug"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "AirSpaceChannel"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Application"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowFilterGraph"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4972
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "DirectShowPluginControl"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Els_Hyphenation/Analytic"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "EndpointMapper"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "FirstUXPerf-Analytic"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "ForwardedEvents"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "General Logging"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "HardwareEvents"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "IHM_DebugChannel"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3136
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Internet Explorer"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Key Management Service"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3360
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MF_MediaFoundationFrameServer"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProc"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MedaFoundationVideoProcD3D"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationAsyncWrapper"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationContentProtection"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDS"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationDeviceProxy"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMP4"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationMediaEngine"
  2⤵
  PID:4812
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformance"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPerformanceCore"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPipeline"
  2⤵
  - Clears Windows event logs
  PID:1112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationPlatform"
  2⤵
  PID:2680
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "MediaFoundationSrcPrefetch"
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Admin"
  2⤵
  PID:4316
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Debug"
  2⤵
  PID:4548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Operational"
  2⤵
  PID:4504
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:232
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
  2⤵
  PID:4456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
  2⤵
  - Clears Windows event logs
  PID:2092
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IE/Diagnostic"
  2⤵
  PID:2448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
  2⤵
  PID:4008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
  2⤵
  PID:2552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
  2⤵
  PID:2948
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:2312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  - Clears Windows event logs
  PID:1728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3144
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:1796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
  2⤵
  PID:3208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
  2⤵
  - Clears Windows event logs
  PID:3904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
  2⤵
  PID:2480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
  2⤵
  PID:4400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
  2⤵
  PID:1124
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
  2⤵
  - Clears Windows event logs
  PID:2872
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
  2⤵
  PID:4984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
  2⤵
  - Clears Windows event logs
  PID:2508
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
  2⤵
  PID:4748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
  2⤵
  PID:1836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
  2⤵
  PID:1464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:4372
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
  2⤵
  PID:2344
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
  2⤵
  PID:1992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
  2⤵
  - Clears Windows event logs
  PID:1100
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
  2⤵
  PID:1484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
  2⤵
  - Clears Windows event logs
  PID:3964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
  2⤵
  PID:3984
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
  2⤵
  - Clears Windows event logs
  PID:4840
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
  2⤵
  PID:1336
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppSruProv"
  2⤵
  PID:2060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
  2⤵
  PID:4676
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
  2⤵
  PID:1748
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
  2⤵
  PID:4272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:960
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
  2⤵
  PID:4680
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
  2⤵
  PID:3548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
  2⤵
  - Clears Windows event logs
  PID:1312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  PID:1860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  - Clears Windows event logs
  PID:3472
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  PID:3800
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
  2⤵
  PID:2200
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
  2⤵
  - Clears Windows event logs
  PID:912
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
  2⤵
  PID:3136
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
  2⤵
  - Clears Windows event logs
  PID:2576
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
  2⤵
  - Clears Windows event logs
  PID:512
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
  2⤵
  PID:1240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
  2⤵
  PID:4764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
  2⤵
  - Clears Windows event logs
  PID:1284
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
  2⤵
  PID:1688
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
  2⤵
  PID:264
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
  2⤵
  PID:892
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
  2⤵
  - Clears Windows event logs
  PID:4484
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
  2⤵
  PID:1276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
  2⤵
  PID:2744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
  2⤵
  PID:1012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
  2⤵
  - Clears Windows event logs
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
  2⤵
  - Clears Windows event logs
  PID:3500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
  2⤵
  - Clears Windows event logs
  PID:392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:4352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
  2⤵
  - Clears Windows event logs
  PID:4312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
  2⤵
  PID:1244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
  2⤵
  PID:1352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
  2⤵
  - Clears Windows event logs
  PID:3884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
  2⤵
  - Clears Windows event logs
  PID:3432
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
  2⤵
  PID:4420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:4932
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
  2⤵
  PID:3908
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
  2⤵
  PID:1564
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Backup"
  2⤵
  PID:2596
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
  2⤵
  PID:2152
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
  2⤵
  PID:4852
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
  2⤵
  PID:1268
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
  2⤵
  PID:1332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
  2⤵
  - Clears Windows event logs
  PID:4244
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  - Clears Windows event logs
  PID:2756
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:2320
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
  2⤵
  - Clears Windows event logs
  PID:4544
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
  2⤵
  PID:5096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
  2⤵
  PID:4276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
  2⤵
  PID:4168
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
  2⤵
  PID:3320
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
  2⤵
  PID:3248
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
  2⤵
  - Clears Windows event logs
  PID:4836
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
  2⤵
  PID:112
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:1660
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
  2⤵
  PID:2516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
  2⤵
  - Clears Windows event logs
  PID:5072
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
  2⤵
  PID:1116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/Call"
  2⤵
  PID:4928
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
  2⤵
  PID:556
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
  2⤵
  PID:1140
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
  2⤵
  - Clears Windows event logs
  PID:416
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
  2⤵
  PID:4424
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
  2⤵
  PID:1032
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
  2⤵
  - Clears Windows event logs
  PID:4060
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
  2⤵
  - Clears Windows event logs
  PID:2992
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
  2⤵
  - Clears Windows event logs
  PID:4256
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
  2⤵
  - Clears Windows event logs
  PID:3104
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
  2⤵
  PID:928
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
  2⤵
  PID:2192
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
  2⤵
  PID:1444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
  2⤵
  PID:3420
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
  2⤵
  PID:4784
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
  2⤵
  PID:1340
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
  2⤵
  - Clears Windows event logs
  PID:2240
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
  2⤵
  PID:3184
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
  2⤵
  PID:3168
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
  2⤵
  PID:2892
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
  2⤵
  - Clears Windows event logs
  PID:2916
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
  2⤵
  - Clears Windows event logs
  PID:1480
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
  2⤵
  PID:3516
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
  2⤵
  - Clears Windows event logs
  PID:1624
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
  2⤵
  PID:2996
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
  2⤵
  - Clears Windows event logs
  PID:652
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
  2⤵
  - Clears Windows event logs
  PID:3712
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
  2⤵
  PID:1260
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
  2⤵
  PID:440
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
  2⤵
  PID:1276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
  2⤵
  PID:2744
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
  2⤵
  PID:1012
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
  2⤵
  PID:4844
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
  2⤵
  - Clears Windows event logs
  PID:3500
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
  2⤵
  PID:3552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
  2⤵
  PID:392
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
  2⤵
  PID:4352
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
  2⤵
  PID:4176
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
  2⤵
  - Clears Windows event logs
  PID:4548
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
  2⤵
  PID:452
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
  2⤵
  PID:2000
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:3224
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
  2⤵
  PID:2208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
  2⤵
  PID:2448
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
  2⤵
  - Clears Windows event logs
  PID:4008
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
  2⤵
  PID:2552
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
  2⤵
  PID:2116
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
  2⤵
  PID:1904
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
  2⤵
  PID:2312
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
  2⤵
  PID:1728
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
  2⤵
  - Clears Windows event logs
  PID:4208
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
  2⤵
  PID:1456
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
  2⤵
  - Clears Windows event logs
  PID:1796
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
  2⤵
  - Clears Windows event logs
  PID:1780
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
  2⤵
  PID:3400
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
  2⤵
  - Clears Windows event logs
  PID:4696
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
  2⤵
  PID:5076
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
  2⤵
  PID:860
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
  2⤵
  - Clears Windows event logs
  PID:3356
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
  2⤵
  PID:4964
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:5096
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
  2⤵
  PID:4276
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
  2⤵
  PID:4168
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
  2⤵
  - Clears Windows event logs
  PID:3320
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
  2⤵
  - Clears Windows event logs
  PID:4716
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
  2⤵
  PID:1720
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
  2⤵
  - Clears Windows event logs
  PID:4356
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
  2⤵
  PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads