e4a4c30f83ba7aed69147a638a6dffecfc0cf5a09d0aa03c183f6f76b3587ae7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
Size

6.3MB
MD5

b44a14d100a9055a3d2ec786ac0b0605
SHA1

1e5f4d92fa8523505ba7c8e560a7c5a3a64bb237
SHA256

e4a4c30f83ba7aed69147a638a6dffecfc0cf5a09d0aa03c183f6f76b3587ae7
SHA512

41db16c5a50a5e4f65ec5fcbc1cc3344e3aacfca755231114b14fb636618c349482889ca873a7c13c73df4738602c6bd07949f4750b78b2228a448bc588cd9b9
SSDEEP

196608:jVkpVLECFbM7eLIbS46cDFQZNlZRM3XdaIv:j6dFw7eLIb2mQZTvuaIv

Score

10^/10

discovery evasion persistence ransomware

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
2008	fsutil.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
3188	wevtutil.exe
3704	wevtutil.exe
3628	wevtutil.exe
1560	Process not Found
4864	wevtutil.exe
1676	wevtutil.exe
3492	wevtutil.exe
2928	wevtutil.exe
428	wevtutil.exe
408	wevtutil.exe
3572	wevtutil.exe
2728	wevtutil.exe
4940	wevtutil.exe
2284	wevtutil.exe
4420	wevtutil.exe
2916	wevtutil.exe
4676	wevtutil.exe
4952	wevtutil.exe
2704	wevtutil.exe
4784	wevtutil.exe
3152	Process not Found
1404	wevtutil.exe
3996	wevtutil.exe
3204	wevtutil.exe
1568	wevtutil.exe
4344	wevtutil.exe
1332	wevtutil.exe
4700	wevtutil.exe
3912	wevtutil.exe
4544	wevtutil.exe
4924	wevtutil.exe
5036	wevtutil.exe
1068	wevtutil.exe
3652	wevtutil.exe
3596	Process not Found
1908	Process not Found
2308	wevtutil.exe
3596	wevtutil.exe
2928	wevtutil.exe
2348	wevtutil.exe
1316	Process not Found
428	wevtutil.exe
464	wevtutil.exe
648	wevtutil.exe
2420	wevtutil.exe
2184	wevtutil.exe
2216	wevtutil.exe
4988	wevtutil.exe
4668	wevtutil.exe
3572	wevtutil.exe
3596	wevtutil.exe
5052	wevtutil.exe
1772	wevtutil.exe
1168	wevtutil.exe
5036	wevtutil.exe
1540	wevtutil.exe
3600	wevtutil.exe
4444	wevtutil.exe
4180	wevtutil.exe
4532	wevtutil.exe
1940	wevtutil.exe
3464	wevtutil.exe
2088	wevtutil.exe
972	wevtutil.exe

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
972	wevtutil.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2184	wevtutil.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
Token: 33	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
Token: SeSecurityPrivilege	1704	wevtutil.exe
Token: SeBackupPrivilege	1704	wevtutil.exe
Token: SeSecurityPrivilege	1904	wevtutil.exe
Token: SeBackupPrivilege	1904	wevtutil.exe
Token: SeSecurityPrivilege	1984	wevtutil.exe
Token: SeBackupPrivilege	1984	wevtutil.exe
Token: SeSecurityPrivilege	3368	wevtutil.exe
Token: SeBackupPrivilege	3368	wevtutil.exe
Token: SeSecurityPrivilege	2852	wevtutil.exe
Token: SeBackupPrivilege	2852	wevtutil.exe
Token: SeSecurityPrivilege	5092	wevtutil.exe
Token: SeBackupPrivilege	5092	wevtutil.exe
Token: SeSecurityPrivilege	1616	wevtutil.exe
Token: SeBackupPrivilege	1616	wevtutil.exe
Token: SeSecurityPrivilege	4800	wevtutil.exe
Token: SeBackupPrivilege	4800	wevtutil.exe
Token: SeSecurityPrivilege	4768	wevtutil.exe
Token: SeBackupPrivilege	4768	wevtutil.exe
Token: SeSecurityPrivilege	1872	wevtutil.exe
Token: SeBackupPrivilege	1872	wevtutil.exe
Token: SeSecurityPrivilege	3224	wevtutil.exe
Token: SeBackupPrivilege	3224	wevtutil.exe
Token: SeSecurityPrivilege	1196	wevtutil.exe
Token: SeBackupPrivilege	1196	wevtutil.exe
Token: SeSecurityPrivilege	4848	wevtutil.exe
Token: SeBackupPrivilege	4848	wevtutil.exe
Token: SeSecurityPrivilege	544	wevtutil.exe
Token: SeBackupPrivilege	544	wevtutil.exe
Token: SeSecurityPrivilege	408	wevtutil.exe
Token: SeBackupPrivilege	408	wevtutil.exe
Token: SeSecurityPrivilege	3412	wevtutil.exe
Token: SeBackupPrivilege	3412	wevtutil.exe
Token: SeSecurityPrivilege	2704	wevtutil.exe
Token: SeBackupPrivilege	2704	wevtutil.exe
Token: SeSecurityPrivilege	368	wevtutil.exe
Token: SeBackupPrivilege	368	wevtutil.exe
Token: SeSecurityPrivilege	3048	wevtutil.exe
Token: SeBackupPrivilege	3048	wevtutil.exe
Token: SeSecurityPrivilege	4912	wevtutil.exe
Token: SeBackupPrivilege	4912	wevtutil.exe
Token: SeSecurityPrivilege	2596	wevtutil.exe
Token: SeBackupPrivilege	2596	wevtutil.exe
Token: SeSecurityPrivilege	3704	wevtutil.exe
Token: SeBackupPrivilege	3704	wevtutil.exe
Token: SeSecurityPrivilege	2136	wevtutil.exe
Token: SeBackupPrivilege	2136	wevtutil.exe
Token: SeSecurityPrivilege	4856	wevtutil.exe
Token: SeBackupPrivilege	4856	wevtutil.exe
Token: SeSecurityPrivilege	2184	wevtutil.exe
Token: SeBackupPrivilege	2184	wevtutil.exe
Token: SeSecurityPrivilege	3596	wevtutil.exe
Token: SeBackupPrivilege	3596	wevtutil.exe
Token: SeSecurityPrivilege	3464	wevtutil.exe
Token: SeBackupPrivilege	3464	wevtutil.exe
Token: SeSecurityPrivilege	1244	wevtutil.exe
Token: SeBackupPrivilege	1244	wevtutil.exe
Token: SeSecurityPrivilege	3648	wevtutil.exe
Token: SeBackupPrivilege	3648	wevtutil.exe
Token: SeSecurityPrivilege	5080	wevtutil.exe
Token: SeBackupPrivilege	5080	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 464	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe	88
PID 2716 wrote to memory of 464	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe	88
PID 2716 wrote to memory of 4964	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe	89
PID 2716 wrote to memory of 4964	2716	b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe	89
PID 4964 wrote to memory of 3132	4964	cmd.exe	92
PID 4964 wrote to memory of 3132	4964	cmd.exe	92
PID 464 wrote to memory of 2008	464	cmd.exe	93
PID 464 wrote to memory of 2008	464	cmd.exe	93
PID 3132 wrote to memory of 1704	3132	cmd.exe	94
PID 3132 wrote to memory of 1704	3132	cmd.exe	94
PID 4964 wrote to memory of 1904	4964	cmd.exe	96
PID 4964 wrote to memory of 1904	4964	cmd.exe	96
PID 4964 wrote to memory of 1984	4964	cmd.exe	97
PID 4964 wrote to memory of 1984	4964	cmd.exe	97
PID 4964 wrote to memory of 3368	4964	cmd.exe	98
PID 4964 wrote to memory of 3368	4964	cmd.exe	98
PID 4964 wrote to memory of 2852	4964	cmd.exe	99
PID 4964 wrote to memory of 2852	4964	cmd.exe	99
PID 4964 wrote to memory of 5092	4964	cmd.exe	100
PID 4964 wrote to memory of 5092	4964	cmd.exe	100
PID 4964 wrote to memory of 1616	4964	cmd.exe	101
PID 4964 wrote to memory of 1616	4964	cmd.exe	101
PID 4964 wrote to memory of 4800	4964	cmd.exe	102
PID 4964 wrote to memory of 4800	4964	cmd.exe	102
PID 4964 wrote to memory of 4768	4964	cmd.exe	103
PID 4964 wrote to memory of 4768	4964	cmd.exe	103
PID 4964 wrote to memory of 1872	4964	cmd.exe	104
PID 4964 wrote to memory of 1872	4964	cmd.exe	104
PID 4964 wrote to memory of 3224	4964	cmd.exe	105
PID 4964 wrote to memory of 3224	4964	cmd.exe	105
PID 4964 wrote to memory of 1196	4964	cmd.exe	106
PID 4964 wrote to memory of 1196	4964	cmd.exe	106
PID 4964 wrote to memory of 4848	4964	cmd.exe	107
PID 4964 wrote to memory of 4848	4964	cmd.exe	107
PID 4964 wrote to memory of 544	4964	cmd.exe	108
PID 4964 wrote to memory of 544	4964	cmd.exe	108
PID 4964 wrote to memory of 408	4964	cmd.exe	109
PID 4964 wrote to memory of 408	4964	cmd.exe	109
PID 4964 wrote to memory of 3412	4964	cmd.exe	110
PID 4964 wrote to memory of 3412	4964	cmd.exe	110
PID 4964 wrote to memory of 2704	4964	cmd.exe	111
PID 4964 wrote to memory of 2704	4964	cmd.exe	111
PID 4964 wrote to memory of 368	4964	cmd.exe	112
PID 4964 wrote to memory of 368	4964	cmd.exe	112
PID 4964 wrote to memory of 3048	4964	cmd.exe	113
PID 4964 wrote to memory of 3048	4964	cmd.exe	113
PID 4964 wrote to memory of 4912	4964	cmd.exe	114
PID 4964 wrote to memory of 4912	4964	cmd.exe	114
PID 4964 wrote to memory of 2596	4964	cmd.exe	115
PID 4964 wrote to memory of 2596	4964	cmd.exe	115
PID 4964 wrote to memory of 3704	4964	cmd.exe	116
PID 4964 wrote to memory of 3704	4964	cmd.exe	116
PID 4964 wrote to memory of 2136	4964	cmd.exe	117
PID 4964 wrote to memory of 2136	4964	cmd.exe	117
PID 4964 wrote to memory of 4856	4964	cmd.exe	118
PID 4964 wrote to memory of 4856	4964	cmd.exe	118
PID 4964 wrote to memory of 2184	4964	cmd.exe	119
PID 4964 wrote to memory of 2184	4964	cmd.exe	119
PID 4964 wrote to memory of 3596	4964	cmd.exe	120
PID 4964 wrote to memory of 3596	4964	cmd.exe	120
PID 4964 wrote to memory of 3464	4964	cmd.exe	121
PID 4964 wrote to memory of 3464	4964	cmd.exe	121
PID 4964 wrote to memory of 1244	4964	cmd.exe	122
PID 4964 wrote to memory of 1244	4964	cmd.exe	122

C:\Users\Admin\AppData\Local\Temp\b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b44a14d100a9055a3d2ec786ac0b0605_JaffaCakes118.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C fsutil usn deletejournal /D C:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\system32\fsutil.exe
    fsutil usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2008
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    PID:1692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:1304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    - Clears Windows event logs
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:2308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:4544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:5020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    - Clears Windows event logs
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:3488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:3076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:2128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:4716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:3752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:3028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:1936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:1268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    - Clears Windows event logs
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:2008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:1376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:3652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:3144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:3808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:5056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    - Clears Windows event logs
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    - Clears Windows event logs
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:4612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    - Clears Windows event logs
    PID:3492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:1084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:1020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:2124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:3208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:3204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:2128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:3980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:3660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:4740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:2792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    - Clears Windows event logs
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:3632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:4248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:1388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    - Clears Windows event logs
    PID:648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:3844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    - Clears Windows event logs
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:3040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:2796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:3608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:3348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:2948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:4492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:1692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:1304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:3512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:2468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:4356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    - Clears Windows event logs
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:2644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:3724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:4772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:3496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:2128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:3752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:4236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:2792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:4960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:2940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:1388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:1892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:4064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:3808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:3548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    - Clears Windows event logs
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:2088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    - Clears Windows event logs
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:4612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:3492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:1020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    - Clears Windows event logs
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:2124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:1528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:1152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:4692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:3856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:1280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:1372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:3152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:1388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    - Clears Windows event logs
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:3844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:4004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:1316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:3664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:3040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:2264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:3548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    - Clears Windows event logs
    PID:2088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    - Clears Windows event logs
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:5024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:2468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    - Clears Windows event logs
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:1528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:1152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    - Clears Windows event logs
    PID:4420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:4692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:3856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:1372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:3152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:1388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:3808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:3088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:1848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:1164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:3044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:5024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:2468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    - Clears Windows event logs
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    - Clears Windows event logs
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:1528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    PID:536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:2400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:3172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:4248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:1376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
    3⤵
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
    3⤵
    PID:732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:3652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    - Clears Windows event logs
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:4004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:1848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:1164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    - Clears Windows event logs
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:3044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:3600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:3512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:3460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:3892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:4356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:3076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:4280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    - Clears Windows event logs
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:1376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:3652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    PID:3088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    PID:4004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:1848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    - Clears Windows event logs
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:1164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    - System Time Discovery
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:3044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:3600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:1084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:3460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
    3⤵
    - Clears Windows event logs
    PID:3204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:3980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:3172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
    3⤵
    PID:2412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
    3⤵
    PID:4960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
    3⤵
    PID:4248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:3376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:3920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:3084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    PID:3224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:1316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:3664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:3040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:2264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:3548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
    3⤵
    PID:2088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    - Clears Windows event logs
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
    3⤵
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:3520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:1068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:1972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:2308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    - Clears Windows event logs
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:3204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    - Clears Windows event logs
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
    3⤵
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:3752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:2792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:4252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:3152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:4064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:4080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:2700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:4576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:4068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    PID:3960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:2796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:3608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
    3⤵
    PID:4912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
    3⤵
    PID:2596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:3348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:2948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
    3⤵
    PID:4932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:1084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
    3⤵
    PID:736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:3200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:3892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    - Clears Windows event logs
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    PID:4280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    - Clears Windows event logs
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:3632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
    3⤵
    PID:4960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
    3⤵
    PID:1376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    - Clears Windows event logs
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
    3⤵
    PID:1388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:3808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
    3⤵
    PID:5056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
    3⤵
    PID:3088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
    3⤵
    PID:4004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
    3⤵
    - Clears Windows event logs
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
    3⤵
    PID:400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
    3⤵
    PID:2088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:3600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
    3⤵
    PID:4360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:1692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
    3⤵
    PID:2308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
    3⤵
    PID:3204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:3152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
    3⤵
    PID:2852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:4064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
    3⤵
    PID:4080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
    3⤵
    PID:1440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
    3⤵
    PID:3380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    - Clears Windows event logs
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
    3⤵
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
    3⤵
    PID:3348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
    3⤵
    PID:2948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
    3⤵
    PID:4492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Store/Operational"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
    3⤵
    PID:4360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:1692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
    3⤵
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:3688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
    3⤵
    PID:4464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:2308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
    3⤵
    PID:4524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
    3⤵
    PID:3012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
    3⤵
    PID:508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
    3⤵
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:3724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:1936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:2412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:3612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:4248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:1372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
    3⤵
    PID:732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
    3⤵
    PID:3652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    - Clears Windows event logs
    PID:4700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:2192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
    3⤵
    PID:2596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:4920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
    3⤵
    PID:1532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
    3⤵
    - Clears Windows event logs
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
    3⤵
    PID:3600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:3520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    - Clears Windows event logs
    PID:1068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
    3⤵
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:1268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:3836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:1304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
    3⤵
    PID:2168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
    3⤵
    PID:788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
    3⤵
    PID:3964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
    3⤵
    PID:3952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:1020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
    3⤵
    PID:2124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
    3⤵
    PID:3204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
    3⤵
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
    3⤵
    PID:4280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:1672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:2504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
    3⤵
    PID:4248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
    3⤵
    PID:1372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
    3⤵
    PID:648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
    3⤵
    PID:1316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:4068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:3960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:3548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
    3⤵
    PID:2772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:2184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
    3⤵
    PID:3044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:2088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:4492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:4360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
    3⤵
    PID:4984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
    3⤵
    PID:1692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
    3⤵
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:4464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2716-0-0x0000000140147000-0x0000000140539000-memory.dmp

Filesize
3.9MB

Download
memory/2716-3-0x0000000140000000-0x0000000140B64000-memory.dmp

Filesize
11.4MB

Download
memory/2716-2-0x00007FFECC8E0000-0x00007FFECC8E2000-memory.dmp

Filesize
8KB

Download
memory/2716-1-0x00007FFECC8D0000-0x00007FFECC8D2000-memory.dmp

Filesize
8KB

Download
memory/2716-7-0x0000000140147000-0x0000000140539000-memory.dmp

Filesize
3.9MB

Download
memory/2716-8-0x0000000140000000-0x0000000140B64000-memory.dmp

Filesize
11.4MB

Download