b8c1f3abe165e1bab5616f0b739f1cb53c642c40ffc92f9f26aec1a73eaf0de2

Analysis

max time kernel
299s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

encoder.exe
Size

10KB
MD5

f1927e7f90416bf39fc7991bbc57e1b3
SHA1

2367249568ca4a34f8824a9313b03d16d1d7c0bc
SHA256

539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
SHA512

a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
SSDEEP

192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\How To Restore Files.txt

Ransom Note

Important !!! Your personal id - WNaCh9gY+bQNrwDU Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Emails

[email protected]

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

encoder.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	encoder.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2172	wevtutil.exe
1752
4340
4480
2340
4960
4012
1084
2512	wevtutil.exe
4376
3216
2148
4880
4188
2380
4928
4416
3840
4456
4292
1132
1792
3444
3268
2284
2600
1612
3640
4948
3816
4328
3160
2776
2044
3612
3276
3452
3620	wevtutil.exe
2784	wevtutil.exe
4504
4656
4036
2572
3692
3900
4888	wevtutil.exe
3420
5060
4016
4288
3592
3296
3016
4440
4452	wevtutil.exe
2920	wevtutil.exe
1348
3440	wevtutil.exe
4744
1764
4404
3980
4980
4644

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (9725) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

encoder.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\How To Restore Files.txt\""	encoder.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\searchfiles = "C:\\windows\\searchfiles.exe"	encoder.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

encoder.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" encoder.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	encoder.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe

description	ioc	process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Power Settings 1 TTPs 7 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

wevtutil.exewevtutil.exe

pid process

2232 wevtutil.exe
1732
2284
3516
2552
4004
5016 wevtutil.exe

pid	process
2232	wevtutil.exe
1732
2284
3516
2552
4004
5016	wevtutil.exe

Drops file in Program Files directory 64 IoCs

Processes:

encoder.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0240695.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\liboggspots_plugin.dll id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Riga id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.DLL id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\vlc.mo id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\7-Zip\License.txt id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSPTLS.DLL id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\email_initiator.gif	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282928.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\es-ES\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\Chess.exe.mui id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\default.jfc id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\odffilt.dll id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_tr.dll id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OSETUPUI.DLL id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD09662_.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\How To Restore Files.txt	encoder.exe
File created	C:\Program Files\Microsoft Games\Hearts\it-IT\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Caracas id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\How To Restore Files.txt	encoder.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviewers.gif id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0089992.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File created	C:\Program Files (x86)\Common Files\System\ado\en-US\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\APIFile_8.ico id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105710.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.dll id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199727.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\How To Restore Files.txt	encoder.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.zh_CN_5.5.0.165303.jar id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04195_.WMF id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	encoder.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE id-WNaCh9gY+bQNrwDU.BDKR	encoder.exe

Drops file in Windows directory 5 IoCs

Processes:

encoder.exemsiexec.exe

description	ioc	process
File opened for modification	C:\windows\searchfiles.exe	encoder.exe
File created	C:\Windows\Installer\f76ef4e.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f76ef4e.mst	msiexec.exe
File opened for modification	C:\windows\cllog.bat	encoder.exe
File created	C:\windows\searchfiles.exe	encoder.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2780 vssadmin.exe

pid	process
2780	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

encoder.exe

pid	process
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe

Suspicious behavior: RenamesItself 18 IoCs

Processes:

encoder.exe

pid	process
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe
1920	encoder.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

encoder.exemsiexec.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1920	encoder.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	3064	wevtutil.exe
Token: SeBackupPrivilege	3064	wevtutil.exe
Token: SeSecurityPrivilege	3156	wevtutil.exe
Token: SeBackupPrivilege	3156	wevtutil.exe
Token: SeSecurityPrivilege	4788	wevtutil.exe
Token: SeBackupPrivilege	4788	wevtutil.exe
Token: SeSecurityPrivilege	3748	wevtutil.exe
Token: SeBackupPrivilege	3748	wevtutil.exe
Token: SeSecurityPrivilege	1336	wevtutil.exe
Token: SeBackupPrivilege	1336	wevtutil.exe
Token: SeSecurityPrivilege	2572	wevtutil.exe
Token: SeBackupPrivilege	2572	wevtutil.exe
Token: SeSecurityPrivilege	480	wevtutil.exe
Token: SeBackupPrivilege	480	wevtutil.exe
Token: SeSecurityPrivilege	2260	wevtutil.exe
Token: SeBackupPrivilege	2260	wevtutil.exe
Token: SeSecurityPrivilege	4792	wevtutil.exe
Token: SeBackupPrivilege	4792	wevtutil.exe
Token: SeSecurityPrivilege	3744	wevtutil.exe
Token: SeBackupPrivilege	3744	wevtutil.exe
Token: SeSecurityPrivilege	4884	wevtutil.exe
Token: SeBackupPrivilege	4884	wevtutil.exe
Token: SeSecurityPrivilege	836	wevtutil.exe
Token: SeBackupPrivilege	836	wevtutil.exe
Token: SeSecurityPrivilege	3076	wevtutil.exe
Token: SeBackupPrivilege	3076	wevtutil.exe
Token: SeSecurityPrivilege	2960	wevtutil.exe
Token: SeBackupPrivilege	2960	wevtutil.exe
Token: SeSecurityPrivilege	876	wevtutil.exe
Token: SeBackupPrivilege	876	wevtutil.exe
Token: SeSecurityPrivilege	4420	wevtutil.exe
Token: SeBackupPrivilege	4420	wevtutil.exe
Token: SeSecurityPrivilege	2148	wevtutil.exe
Token: SeBackupPrivilege	2148	wevtutil.exe
Token: SeSecurityPrivilege	3104	wevtutil.exe
Token: SeBackupPrivilege	3104	wevtutil.exe
Token: SeSecurityPrivilege	1752	wevtutil.exe
Token: SeBackupPrivilege	1752	wevtutil.exe
Token: SeSecurityPrivilege	904	wevtutil.exe
Token: SeBackupPrivilege	904	wevtutil.exe
Token: SeSecurityPrivilege	4876	wevtutil.exe
Token: SeBackupPrivilege	4876	wevtutil.exe
Token: SeSecurityPrivilege	5036	wevtutil.exe
Token: SeBackupPrivilege	5036	wevtutil.exe
Token: SeSecurityPrivilege	2460	wevtutil.exe
Token: SeBackupPrivilege	2460	wevtutil.exe
Token: SeSecurityPrivilege	2548	wevtutil.exe
Token: SeBackupPrivilege	2548	wevtutil.exe
Token: SeSecurityPrivilege	3920	wevtutil.exe
Token: SeBackupPrivilege	3920	wevtutil.exe
Token: SeSecurityPrivilege	4092	wevtutil.exe
Token: SeBackupPrivilege	4092	wevtutil.exe
Token: SeSecurityPrivilege	4388	wevtutil.exe
Token: SeBackupPrivilege	4388	wevtutil.exe
Token: SeSecurityPrivilege	4380	wevtutil.exe
Token: SeBackupPrivilege	4380	wevtutil.exe
Token: SeSecurityPrivilege	3040	wevtutil.exe
Token: SeBackupPrivilege	3040	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

encoder.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1920 wrote to memory of 2480	1920	encoder.exe	cmd.exe
PID 1920 wrote to memory of 2480	1920	encoder.exe	cmd.exe
PID 1920 wrote to memory of 2480	1920	encoder.exe	cmd.exe
PID 1920 wrote to memory of 2480	1920	encoder.exe	cmd.exe
PID 2480 wrote to memory of 2780	2480	cmd.exe	vssadmin.exe
PID 2480 wrote to memory of 2780	2480	cmd.exe	vssadmin.exe
PID 2480 wrote to memory of 2780	2480	cmd.exe	vssadmin.exe
PID 2480 wrote to memory of 2780	2480	cmd.exe	vssadmin.exe
PID 1920 wrote to memory of 1708	1920	encoder.exe	NOTEPAD.EXE
PID 1920 wrote to memory of 1708	1920	encoder.exe	NOTEPAD.EXE
PID 1920 wrote to memory of 1708	1920	encoder.exe	NOTEPAD.EXE
PID 1920 wrote to memory of 1708	1920	encoder.exe	NOTEPAD.EXE
PID 1920 wrote to memory of 4352	1920	encoder.exe	cmd.exe
PID 1920 wrote to memory of 4352	1920	encoder.exe	cmd.exe
PID 1920 wrote to memory of 4352	1920	encoder.exe	cmd.exe
PID 1920 wrote to memory of 4352	1920	encoder.exe	cmd.exe
PID 4352 wrote to memory of 2832	4352	cmd.exe	cmd.exe
PID 4352 wrote to memory of 2832	4352	cmd.exe	cmd.exe
PID 4352 wrote to memory of 2832	4352	cmd.exe	cmd.exe
PID 4352 wrote to memory of 2832	4352	cmd.exe	cmd.exe
PID 2832 wrote to memory of 3064	2832	cmd.exe	wevtutil.exe
PID 2832 wrote to memory of 3064	2832	cmd.exe	wevtutil.exe
PID 2832 wrote to memory of 3064	2832	cmd.exe	wevtutil.exe
PID 2832 wrote to memory of 3064	2832	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3156	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3156	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3156	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3156	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4788	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4788	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4788	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4788	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3748	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3748	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3748	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3748	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 1336	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 1336	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 1336	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 1336	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2572	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2572	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2572	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2572	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 480	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 480	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 480	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 480	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2260	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2260	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2260	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 2260	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3652	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3652	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3652	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3652	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4792	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4792	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4792	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 4792	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3744	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3744	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3744	4352	cmd.exe	wevtutil.exe
PID 4352 wrote to memory of 3744	4352	cmd.exe	wevtutil.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

encoder.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	encoder.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	encoder.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\encoder.exe
"C:\Users\Admin\AppData\Local\Temp\encoder.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all
    3⤵
    - Interacts with shadow copies
    PID:2780
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\How To Restore Files.txt
  2⤵
  PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\cllog.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    - Clears Windows event logs
    PID:4452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:4540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:4160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:4244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:3504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:4960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:3300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:3900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:3192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:5016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:3600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:2312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:2252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:1200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:3252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:4264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:4028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\cllog.bat" "
  2⤵
  PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:4600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:3164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:3768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:3536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:3644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:3692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:4772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:3372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:4136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    - Clears Windows event logs
    PID:2784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    - Clears Windows event logs
    PID:3440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:4152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:3620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:4232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:2920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:2232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:4224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:3936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:4276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:4216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:3584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:4892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:3840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:4432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:5100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:3268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:4996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    - Clears Windows event logs
    PID:3620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:4864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:1336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\cllog.bat" "
  2⤵
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:3660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Clears Windows event logs
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:5108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:4204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini

Filesize
1KB

MD5
0981226dbf199d9691a83664fe4f8864

SHA1
d9a031c5b00d173418a77b7ad838adffdc682b50

SHA256
408759cd56efc21a823f42e13d2e6b3a70d05bf8948f7376c742d3984227eae9

SHA512
5d97ef4a17f06ec56c1c2157834fee5c1cb765eb397432537b176693d5becae2ba799f1caf22be14b38f7892d83ca799f7687c2494dbe56fd4b1465d69397925

Download Submit
C:\Program Files\How To Restore Files.txt

Filesize
493B

MD5
645cfcd0d0b7a53490056b8331b13821

SHA1
6680a3f0e287bdb799af71c19db7be21a121ccab

SHA256
509337ac566b5fce70475ed18ffeffc8734ef70ff269855b95bbbcb6ea9e41d5

SHA512
b3d287587e7295ccb4d2a7cc2f0c9324052982a4ba7029078b88ed8e2b29baf332f28b4cee084a9a115791a03e4dc65dab1b8e40f4507248951564116de5ae71

Download Submit
C:\Windows\cllog.bat

Filesize
166B

MD5
c3322041ca54a67a1f3108f5c558ada5

SHA1
4a15fd1570ca2adf8c478f8a6baed5444d6c7d9d

SHA256
0c632d77298ee5c0dfd96ead16883ffb16c4efc36b2ba5bd5a72d1e7c6cefb5f

SHA512
614d1be590b15314c8e076215b5c0307f969ffbae56933cd1fb738b8517e6e4986c99d6a247b3373cabce5314468b5ae36c2d80c2991a1d03a90ea2b3a0efce6

Download Submit