xworm | 3e6f0de70c94df15b3aecb8ce4370e26b62fa38a24bf3710d0d9f0a28b4da656

Analysis

max time kernel
65s
max time network
65s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17/11/2024, 00:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FPS_BY FILMGODX.exe
Size

98KB
MD5

20f5290def51514fefaed2b744ed961c
SHA1

546f5c611c1d35c5104e2792c76934746f637987
SHA256

3e6f0de70c94df15b3aecb8ce4370e26b62fa38a24bf3710d0d9f0a28b4da656
SHA512

578c4cc3b0375587d13f4b6f28d063322aa4df1dc3a439bc2f22da57475d191b78f7cc6590483ba4462af5a70d7aa73fb6784ae527e46f8e64cb31b3274ef3e2
SSDEEP

3072:gZtcSVYnM7ByozguHogUDqGB5xY7iBCYs9:gXFyaByoUuInqs0

Score

10^/10

xworm discovery evasion execution persistence ransomware rat trojan

Malware Config

Extracted

Family

xworm

45.141.27.248:7777

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x001c00000002aa9b-9.dat	family_xworm
behavioral2/memory/3160-17-0x0000000000780000-0x000000000079A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2664	wevtutil.exe
3340	wevtutil.exe
4160	wevtutil.exe
1524	wevtutil.exe
4304	wevtutil.exe
4864	wevtutil.exe
3404	wevtutil.exe
5076	wevtutil.exe
1748	wevtutil.exe
220	wevtutil.exe
4228	wevtutil.exe
1504	wevtutil.exe
3864	wevtutil.exe
4776	wevtutil.exe
1896	wevtutil.exe
4428	wevtutil.exe
1840	wevtutil.exe
5028	wevtutil.exe
236	wevtutil.exe
3732	wevtutil.exe
5008	wevtutil.exe
3360	wevtutil.exe
4652	wevtutil.exe
1748	wevtutil.exe
956	wevtutil.exe
3764	wevtutil.exe
2624	wevtutil.exe
2116	wevtutil.exe
1844	wevtutil.exe
2176	wevtutil.exe
3168	wevtutil.exe
3376	wevtutil.exe
1968	wevtutil.exe
3124	wevtutil.exe
2588	wevtutil.exe
2584	wevtutil.exe
2620	wevtutil.exe
4628	wevtutil.exe
3400	wevtutil.exe
1668	wevtutil.exe
1524	wevtutil.exe
560	wevtutil.exe
2116	wevtutil.exe
3484	wevtutil.exe
3640	wevtutil.exe
4412	wevtutil.exe
1348	wevtutil.exe
2096	wevtutil.exe
1248	wevtutil.exe
4344	wevtutil.exe
4092	wevtutil.exe
3152	wevtutil.exe
5008	wevtutil.exe
1196	wevtutil.exe
2928	wevtutil.exe
924	wevtutil.exe
2288	wevtutil.exe
3864	wevtutil.exe
3484	wevtutil.exe
1696	wevtutil.exe
1700	wevtutil.exe
3404	wevtutil.exe
2376	wevtutil.exe
1464	wevtutil.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
852	powershell.exe
4748	powershell.exe
4784	powershell.exe
2624	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	svchost.exe
3704	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2812	wevtutil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
696	wevtutil.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4784	powershell.exe
4784	powershell.exe
2624	powershell.exe
2624	powershell.exe
852	powershell.exe
852	powershell.exe
4748	powershell.exe
4748	powershell.exe
3160	svchost.exe
3160	svchost.exe
3160	svchost.exe
3160	svchost.exe
3160	svchost.exe
3160	svchost.exe
3160	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3160	svchost.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeDebugPrivilege	3160	svchost.exe
Token: SeDebugPrivilege	3704	svchost.exe
Token: SeSecurityPrivilege	4332	wevtutil.exe
Token: SeBackupPrivilege	4332	wevtutil.exe
Token: SeSecurityPrivilege	3760	wevtutil.exe
Token: SeBackupPrivilege	3760	wevtutil.exe
Token: SeSecurityPrivilege	4616	wevtutil.exe
Token: SeBackupPrivilege	4616	wevtutil.exe
Token: SeSecurityPrivilege	2588	wevtutil.exe
Token: SeBackupPrivilege	2588	wevtutil.exe
Token: SeSecurityPrivilege	8	wevtutil.exe
Token: SeBackupPrivilege	8	wevtutil.exe
Token: SeSecurityPrivilege	4504	wevtutil.exe
Token: SeBackupPrivilege	4504	wevtutil.exe
Token: SeSecurityPrivilege	1584	wevtutil.exe
Token: SeBackupPrivilege	1584	wevtutil.exe
Token: SeSecurityPrivilege	4776	wevtutil.exe
Token: SeBackupPrivilege	4776	wevtutil.exe
Token: SeSecurityPrivilege	4836	wevtutil.exe
Token: SeBackupPrivilege	4836	wevtutil.exe
Token: SeSecurityPrivilege	3400	wevtutil.exe
Token: SeBackupPrivilege	3400	wevtutil.exe
Token: SeSecurityPrivilege	4844	wevtutil.exe
Token: SeBackupPrivilege	4844	wevtutil.exe
Token: SeSecurityPrivilege	2200	wevtutil.exe
Token: SeBackupPrivilege	2200	wevtutil.exe
Token: SeSecurityPrivilege	4972	wevtutil.exe
Token: SeBackupPrivilege	4972	wevtutil.exe
Token: SeSecurityPrivilege	960	wevtutil.exe
Token: SeBackupPrivilege	960	wevtutil.exe
Token: SeSecurityPrivilege	4864	wevtutil.exe
Token: SeBackupPrivilege	4864	wevtutil.exe
Token: SeSecurityPrivilege	872	wevtutil.exe
Token: SeBackupPrivilege	872	wevtutil.exe
Token: SeSecurityPrivilege	1388	wevtutil.exe
Token: SeBackupPrivilege	1388	wevtutil.exe
Token: SeSecurityPrivilege	1524	wevtutil.exe
Token: SeBackupPrivilege	1524	wevtutil.exe
Token: SeSecurityPrivilege	4916	wevtutil.exe
Token: SeBackupPrivilege	4916	wevtutil.exe
Token: SeSecurityPrivilege	3448	wevtutil.exe
Token: SeBackupPrivilege	3448	wevtutil.exe
Token: SeSecurityPrivilege	3828	wevtutil.exe
Token: SeBackupPrivilege	3828	wevtutil.exe
Token: SeSecurityPrivilege	3096	wevtutil.exe
Token: SeBackupPrivilege	3096	wevtutil.exe
Token: SeSecurityPrivilege	3020	wevtutil.exe
Token: SeBackupPrivilege	3020	wevtutil.exe
Token: SeSecurityPrivilege	1876	wevtutil.exe
Token: SeBackupPrivilege	1876	wevtutil.exe
Token: SeSecurityPrivilege	2564	wevtutil.exe
Token: SeBackupPrivilege	2564	wevtutil.exe
Token: SeSecurityPrivilege	4928	wevtutil.exe
Token: SeBackupPrivilege	4928	wevtutil.exe
Token: SeSecurityPrivilege	4436	wevtutil.exe
Token: SeBackupPrivilege	4436	wevtutil.exe
Token: SeSecurityPrivilege	1752	wevtutil.exe
Token: SeBackupPrivilege	1752	wevtutil.exe
Token: SeSecurityPrivilege	4424	wevtutil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3160	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 2248	3712	FPS_BY FILMGODX.exe	79
PID 3712 wrote to memory of 2248	3712	FPS_BY FILMGODX.exe	79
PID 3712 wrote to memory of 3160	3712	FPS_BY FILMGODX.exe	81
PID 3712 wrote to memory of 3160	3712	FPS_BY FILMGODX.exe	81
PID 2248 wrote to memory of 4172	2248	cmd.exe	82
PID 2248 wrote to memory of 4172	2248	cmd.exe	82
PID 2248 wrote to memory of 4208	2248	cmd.exe	83
PID 2248 wrote to memory of 4208	2248	cmd.exe	83
PID 2248 wrote to memory of 3788	2248	cmd.exe	84
PID 2248 wrote to memory of 3788	2248	cmd.exe	84
PID 3160 wrote to memory of 4784	3160	svchost.exe	87
PID 3160 wrote to memory of 4784	3160	svchost.exe	87
PID 3160 wrote to memory of 2624	3160	svchost.exe	89
PID 3160 wrote to memory of 2624	3160	svchost.exe	89
PID 3160 wrote to memory of 852	3160	svchost.exe	91
PID 3160 wrote to memory of 852	3160	svchost.exe	91
PID 3160 wrote to memory of 4748	3160	svchost.exe	93
PID 3160 wrote to memory of 4748	3160	svchost.exe	93
PID 3160 wrote to memory of 844	3160	svchost.exe	95
PID 3160 wrote to memory of 844	3160	svchost.exe	95
PID 2248 wrote to memory of 696	2248	cmd.exe	98
PID 2248 wrote to memory of 696	2248	cmd.exe	98
PID 696 wrote to memory of 4332	696	cmd.exe	99
PID 696 wrote to memory of 4332	696	cmd.exe	99
PID 2248 wrote to memory of 3760	2248	cmd.exe	100
PID 2248 wrote to memory of 3760	2248	cmd.exe	100
PID 2248 wrote to memory of 4616	2248	cmd.exe	101
PID 2248 wrote to memory of 4616	2248	cmd.exe	101
PID 2248 wrote to memory of 2588	2248	cmd.exe	102
PID 2248 wrote to memory of 2588	2248	cmd.exe	102
PID 2248 wrote to memory of 8	2248	cmd.exe	103
PID 2248 wrote to memory of 8	2248	cmd.exe	103
PID 2248 wrote to memory of 4504	2248	cmd.exe	104
PID 2248 wrote to memory of 4504	2248	cmd.exe	104
PID 2248 wrote to memory of 1584	2248	cmd.exe	105
PID 2248 wrote to memory of 1584	2248	cmd.exe	105
PID 2248 wrote to memory of 4776	2248	cmd.exe	106
PID 2248 wrote to memory of 4776	2248	cmd.exe	106
PID 2248 wrote to memory of 4836	2248	cmd.exe	107
PID 2248 wrote to memory of 4836	2248	cmd.exe	107
PID 2248 wrote to memory of 3400	2248	cmd.exe	108
PID 2248 wrote to memory of 3400	2248	cmd.exe	108
PID 2248 wrote to memory of 4620	2248	cmd.exe	109
PID 2248 wrote to memory of 4620	2248	cmd.exe	109
PID 2248 wrote to memory of 4844	2248	cmd.exe	110
PID 2248 wrote to memory of 4844	2248	cmd.exe	110
PID 2248 wrote to memory of 2200	2248	cmd.exe	111
PID 2248 wrote to memory of 2200	2248	cmd.exe	111
PID 2248 wrote to memory of 4972	2248	cmd.exe	112
PID 2248 wrote to memory of 4972	2248	cmd.exe	112
PID 2248 wrote to memory of 960	2248	cmd.exe	113
PID 2248 wrote to memory of 960	2248	cmd.exe	113
PID 2248 wrote to memory of 4864	2248	cmd.exe	114
PID 2248 wrote to memory of 4864	2248	cmd.exe	114
PID 2248 wrote to memory of 872	2248	cmd.exe	115
PID 2248 wrote to memory of 872	2248	cmd.exe	115
PID 2248 wrote to memory of 1388	2248	cmd.exe	116
PID 2248 wrote to memory of 1388	2248	cmd.exe	116
PID 2248 wrote to memory of 1524	2248	cmd.exe	117
PID 2248 wrote to memory of 1524	2248	cmd.exe	117
PID 2248 wrote to memory of 4916	2248	cmd.exe	118
PID 2248 wrote to memory of 4916	2248	cmd.exe	118
PID 2248 wrote to memory of 3448	2248	cmd.exe	119
PID 2248 wrote to memory of 3448	2248	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\FPS_BY FILMGODX.exe
"C:\Users\Admin\AppData\Local\Temp\FPS_BY FILMGODX.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\FPS_BY FILMGODX.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\system32\mode.com
    Mode 100,25
    3⤵
    PID:4172
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:8
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:4620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:3908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    PID:1464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:2756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    - Clears Windows event logs
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:4308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:1904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:3576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:1412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:3880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-System-Diagnostics-DiagnosticInvoker/Operational"
    3⤵
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:4944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:4112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    - Clears Windows event logs
    PID:924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Clears Windows event logs
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:2552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:3364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:3028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    - Clears Windows event logs
    PID:2116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:1164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:1548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    - Clears Windows event logs
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    - Clears Windows event logs
    PID:2096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:1012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:2380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    - Clears Windows event logs
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    - Clears Windows event logs
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:4780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:3120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    - Clears Windows event logs
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:3524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    - Clears Windows event logs
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    - Clears Windows event logs
    PID:4304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:3876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:336
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:3360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:3880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    - Clears Windows event logs
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:2344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:2300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:3180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:4168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:2552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:3364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    - Clears Windows event logs
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:1164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    - Clears Windows event logs
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:1060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:1912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    - Clears Windows event logs
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:3280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:1724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:4288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    PID:2012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    - Clears Windows event logs
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:3196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:2332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:5100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    - Clears Windows event logs
    PID:4628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:4172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:3448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:3828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:4400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:2764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    - Clears Windows event logs
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:3016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:3300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:2756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    - Clears Windows event logs
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:2484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:3360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:3912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    - Clears Windows event logs
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:3880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:3184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    - Clears Windows event logs
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:2300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    PID:420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Autopilot"
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:4464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:3916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:2548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
    3⤵
    PID:4636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    - Clears Windows event logs
    PID:3152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:3372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:1548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:3356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    - Clears Windows event logs
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:3376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    - Clears Windows event logs
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:3280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:1724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:4288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:2012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:3196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:3788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:2764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
    3⤵
    PID:240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
    3⤵
    PID:3260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
    3⤵
    PID:2272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    - Clears Windows event logs
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
    3⤵
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
    3⤵
    PID:3868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:3984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:4884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
    3⤵
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
    3⤵
    PID:688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
    3⤵
    PID:800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
    3⤵
    PID:3976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
    3⤵
    PID:2908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
    3⤵
    PID:3380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorClass/Operational"
    3⤵
    - Clears Windows event logs
    PID:3340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
    3⤵
    PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:3444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    - Clears Windows event logs
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:2660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:3036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
    3⤵
    PID:3900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
    3⤵
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
    3⤵
    PID:4092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
    3⤵
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
    3⤵
    PID:1912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
    3⤵
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
    3⤵
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
    3⤵
    PID:3408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
    3⤵
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
    3⤵
    PID:3760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
    3⤵
    PID:8
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:4268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:3028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:4288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
    3⤵
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
    3⤵
    PID:3572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:2828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    - Clears Windows event logs
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:2236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
    3⤵
    PID:3788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
    3⤵
    PID:2664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
    3⤵
    PID:2764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-KMCL-Child/Analytic"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
    3⤵
    PID:3604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
    3⤵
    PID:1464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
    3⤵
    PID:128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
    3⤵
    PID:3312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
    3⤵
    PID:4968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
    3⤵
    PID:2272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
    3⤵
    PID:3784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:2780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
    3⤵
    PID:3868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
    3⤵
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
    3⤵
    - Clears Windows event logs
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
    3⤵
    PID:492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    - Clears Windows event logs
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:3812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
    3⤵
    PID:688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
    3⤵
    PID:800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:3976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
    3⤵
    - Clears Windows event logs
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
    3⤵
    PID:4648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-CPU-Starvation/Operational"
    3⤵
    PID:2660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Cache/Operational"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Dump/Operational"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:2680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:3440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PRM/Operational"
    3⤵
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
    3⤵
    - Clears Windows event logs
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
    3⤵
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Management"
    3⤵
    - Clears Windows event logs
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
    3⤵
    PID:3432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
    3⤵
    PID:3932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:4268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:3028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:4288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:3120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:4676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:3524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:3712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:4172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    PID:3448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:2664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:1368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:3328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:3908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:4304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:3300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:2256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:1608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:2816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:4928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    - Clears Windows event logs
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    PID:4492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:2896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:1104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    PID:3200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    - Clears Windows event logs
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
    3⤵
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Diagnostics"
    3⤵
    PID:3812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:5028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MosHost/Operational"
    3⤵
    PID:688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MosHost/Performance"
    3⤵
    PID:800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
    3⤵
    PID:3976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    - Clears Windows event logs
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:4648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:3364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:3180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:2660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
    3⤵
    PID:796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-ExecutionContext/Operational"
    3⤵
    PID:1060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:2096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:3356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
    3⤵
    PID:1064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    - System Time Discovery
    PID:696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:4616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:1724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
    3⤵
    PID:2140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
    3⤵
    PID:4296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
    3⤵
    - Clears Windows event logs
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    - Clears Windows event logs
    PID:3376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
    3⤵
    PID:3196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
    3⤵
    PID:2828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:4864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:1524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:4916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
    3⤵
    PID:3540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:4400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:3536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:2332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:3104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:3856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
    3⤵
    PID:3328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    PID:4304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:3300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:1308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
    3⤵
    PID:2252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:2032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
    3⤵
    PID:2484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:3172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:2672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
    3⤵
    PID:488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
    3⤵
    PID:3880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:1404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:2344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
    3⤵
    PID:2748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
    3⤵
    PID:4944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:4112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
    3⤵
    PID:876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
    3⤵
    - Clears Windows event logs
    PID:1840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:1932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
    3⤵
    PID:2264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
    3⤵
    PID:4168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
    3⤵
    PID:420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:4324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
    3⤵
    PID:3444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:3772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
    3⤵
    PID:4132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
    3⤵
    PID:3036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
    3⤵
    PID:4404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
    3⤵
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    - Clears Windows event logs
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:1052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
    3⤵
    - Clears Windows event logs
    PID:3764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:2620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:3408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:3480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:3760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:8
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
    3⤵
    PID:964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
    3⤵
    PID:4908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
    3⤵
    PID:3452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:3376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:3196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
    3⤵
    PID:1492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:3304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
    3⤵
    PID:4344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    - Clears Windows event logs
    PID:1524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
    3⤵
    PID:4916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
    3⤵
    PID:5112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    PID:3564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
    3⤵
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
    3⤵
    PID:4680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
    3⤵
    PID:3064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
    3⤵
    PID:2764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:3016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
    3⤵
    PID:3908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
    3⤵
    PID:2756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
    3⤵
    PID:2708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
    3⤵
    PID:4308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
    3⤵
    PID:4652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
    3⤵
    PID:2960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
    3⤵
    PID:464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
    3⤵
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
    3⤵
    PID:468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
    3⤵
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
    3⤵
    PID:2292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
    3⤵
    PID:2300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
    3⤵
    PID:880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
    3⤵
    PID:3724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    PID:1036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
    3⤵
    PID:3976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:3380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:3340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
    3⤵
    PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
    3⤵
    PID:3860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:3364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:3180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:2600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
    3⤵
    PID:3372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:4092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
    3⤵
    PID:3440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
    3⤵
    PID:1912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
    3⤵
    PID:4720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:2412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
    3⤵
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
    3⤵
    PID:3388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:3280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
    3⤵
    PID:4768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
    3⤵
    PID:3932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:3780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
    3⤵
    PID:4296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
    3⤵
    PID:3452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:3376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
    3⤵
    PID:2828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
    3⤵
    PID:3196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
    3⤵
    PID:1492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:3304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:3472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:3712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
    3⤵
    PID:1556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
    3⤵
    PID:3828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
    3⤵
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
    3⤵
    PID:2220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
    3⤵
    PID:4200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:4436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
    3⤵
    PID:400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
    3⤵
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
    3⤵
    - Clears Windows event logs
    PID:1464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
    3⤵
    PID:1608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    - Clears Windows event logs
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
    3⤵
    PID:336
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
    3⤵
    PID:4532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-NvmeDisk/Analytic"
    3⤵
    PID:2272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-NvmeDisk/Diagnose"
    3⤵
    PID:1180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-NvmeDisk/Operational"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
    3⤵
    PID:332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    PID:3172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
    3⤵
    - Clears Windows event logs
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
    3⤵
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
    3⤵
    PID:2672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
    3⤵
    PID:2228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
    3⤵
    PID:388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement-PartUtil/Operational"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
    3⤵
    - Clears Windows event logs
    PID:3732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Api/Operational"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
    3⤵
    PID:2820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
    3⤵
    PID:2292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Parser/Diagnostic"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Parser/Operational"
    3⤵
    PID:1604
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4748
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:844

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
69416944dac24129d0969e2ac46f0533

SHA1
d71969659956b32411e0606a9bee640a0b108ef4

SHA256
dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca

SHA512
aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c8e142ee24a77ad7f21f6a741d48c8da

SHA1
2f174ae49dd03c3b2acd2f9cb2f4e1913908e749

SHA256
e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961

SHA512
ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Log.tmp

Filesize
52B

MD5
ec6c5317f58539fd7861aa8ff8a1563a

SHA1
8e47b1fa06aadbad27995ea919a8740f1b4377c9

SHA256
77f319ea59cfe0c00a606f724c96ee5129a702206e16c5b66bc45e5397746547

SHA512
1b2b7252fbf20ee8324453fb7923d59fb85f6f33a2114d0052af149f8890d3c5bad885bdad7bdc4e3317aee11c1664a0db7c8e2bf6d6b9b71489c5e2944a5381

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tldmnzwn.spt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\FPS_BY FILMGODX.bat

Filesize
6KB

MD5
73fa858851ab9f0cb193111d183a3ba5

SHA1
3b6b20d02ce3e39a45b94984d150009e6ea501cb

SHA256
c63a1b8c63acb2c4cab3617934a7a88a7b7dc19a2a1144b7f1b1207ff95f26bb

SHA512
a08237eff698b5fee0909d1fc71a317d64408fd6cce378a259f7d3ac52577a927b553a10182d5d6552868d21a41a961760f49a987bbbaeadabefeee659457ba4

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
77KB

MD5
a50564ade45c0a409bb38c06673d6ab9

SHA1
91fd3510c4ccdc50d0eb08249c945271171d5f9f

SHA256
120b13c9edbd9f2fff0ca2e31efb17cef3cac1ea1b4025e8bc7b512f74021a6e

SHA512
7fb99769609027e850c5d6d69912b5dfe82025f24947fa9bff8d88a966ffda315dee8c77086ef171cf75089b6b4d6cb98975b53cbba040c40af50248c4f65cd0

Download Submit
memory/3160-17-0x0000000000780000-0x000000000079A000-memory.dmp

Filesize
104KB

Download
memory/3160-19-0x00007FF87A490000-0x00007FF87AF52000-memory.dmp

Filesize
10.8MB

Download
memory/3160-63-0x00007FF87A490000-0x00007FF87AF52000-memory.dmp

Filesize
10.8MB

Download
memory/3160-64-0x000000001E080000-0x000000001E08C000-memory.dmp

Filesize
48KB

Download
memory/3712-0-0x00007FF87A493000-0x00007FF87A495000-memory.dmp

Filesize
8KB

Download
memory/3712-1-0x00000000000F0000-0x000000000010E000-memory.dmp

Filesize
120KB

Download
memory/4784-20-0x00000228DD7B0000-0x00000228DD7D2000-memory.dmp

Filesize
136KB

Download