280268db673f66dc31e54d86de101cf8b5d52c583a9282d9c7ccb4475612a8e0

Analysis

max time kernel
600s
max time network
361s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Size

10KB
MD5

f1927e7f90416bf39fc7991bbc57e1b3
SHA1

2367249568ca4a34f8824a9313b03d16d1d7c0bc
SHA256

539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505
SHA512

a0ac1811c8944165ba1939e40fe965bba3f7473819cb6f5d1cd4b4e7c203685baec055a6c73359dd1b3ddc79cb05b42d8c7541c29ea466120233423c5a5fcc60
SSDEEP

192:yrj2/2OzcYKNEmkmTjtiIKZIF/2oQlLkMBBm4C:j/2OzcJNEmkmTjkI/92oQjBU7

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\Program Files\How To Restore Files.txt

Ransom Note

Important !!! Your personal id - 8xBJeQ4417S7D8p3 Warning: all your files are infected with an unknown virus. To decrypt your files, you need to contact at [email protected]. The decoder card is received by bitcoin. You can buy bitcoins from the following links://blockchain.info/wallet Do not try to restore files your self, this will lead to the loss of files forever GUARANTEES!!! You can send us 2-3 encoded files. And attach for testing, we will return them to you for FREE

Emails

[email protected]

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
4656	wevtutil.exe
5308	wevtutil.exe
2552	wevtutil.exe
2812	Process not Found
4780	Process not Found
3880	Process not Found
4664	Process not Found
5544	wevtutil.exe
2864	wevtutil.exe
5884	wevtutil.exe
4396	Process not Found
5816	Process not Found
3920	Process not Found
3744	wevtutil.exe
4332	Process not Found
2700	Process not Found
3952	Process not Found
4336	Process not Found
4048	Process not Found
5368	Process not Found
5808	wevtutil.exe
1480	Process not Found
6040	Process not Found
5884	Process not Found
5660	wevtutil.exe
6132	wevtutil.exe
2884	wevtutil.exe
4564	wevtutil.exe
3888	Process not Found
308	Process not Found
1632	Process not Found
5248	Process not Found
3316	Process not Found
6088	Process not Found
2284	Process not Found
1936	wevtutil.exe
1664	Process not Found
3520	Process not Found
4756	Process not Found
3984	Process not Found
5716	wevtutil.exe
4004	Process not Found
3080	Process not Found
2508	Process not Found
3860	Process not Found
5692	Process not Found
5356	Process not Found
2852	Process not Found
3248	Process not Found
5428	wevtutil.exe
1272	wevtutil.exe
5528	Process not Found
5744	Process not Found
5136	Process not Found
4320	Process not Found
4784	Process not Found
4920	Process not Found
2280	Process not Found
4388	Process not Found
2592	Process not Found
4068	Process not Found
5072	Process not Found
4784	Process not Found
2836	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (9739) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unlock = "\"c:\\How To Restore Files.txt\""	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\searchfiles = "C:\\windows\\searchfiles.exe"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2376	wevtutil.exe
5728	Process not Found
6104	Process not Found
5536	Process not Found
5192	Process not Found
3356	wevtutil.exe
2920	Process not Found
4732	Process not Found
5964	Process not Found
3772	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099204.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02287_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00438_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199279.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FOLDPROJ.DPV id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748G.GIF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0149627.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa.fca	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.dll	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_ja.jar id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-options_ja.jar id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02443_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME53.CSS id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00442_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\deployJava1.dll id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\MDIParent.zip id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Denver id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00042_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV.HXS id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL2.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00014_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10263_.GIF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\CAN.WAV id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_issue.gif id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Melbourne id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_OFF.GIF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\Mahjong.exe.mui id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\vlc.mo id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OriginFax.Dotx id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Groove.en-us\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SlateBlue.css id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNoteUI.dll id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\How To Restore Files.txt	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\VIEW.JS id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUB6INTL.DLL.IDX_DLL id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS id-8xBJeQ4417S7D8p3.BDKR	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\windows\searchfiles.exe	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File opened for modification	C:\windows\cllog.bat	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
File created	C:\windows\searchfiles.exe	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2108	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Suspicious behavior: RenamesItself 36 IoCs

pid	Process
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Token: SeSecurityPrivilege	2872	wevtutil.exe
Token: SeBackupPrivilege	2872	wevtutil.exe
Token: SeSecurityPrivilege	3728	wevtutil.exe
Token: SeBackupPrivilege	3728	wevtutil.exe
Token: SeSecurityPrivilege	2836	wevtutil.exe
Token: SeBackupPrivilege	2836	wevtutil.exe
Token: SeSecurityPrivilege	5940	wevtutil.exe
Token: SeBackupPrivilege	5940	wevtutil.exe
Token: SeSecurityPrivilege	5764	wevtutil.exe
Token: SeBackupPrivilege	5764	wevtutil.exe
Token: SeSecurityPrivilege	2096	wevtutil.exe
Token: SeBackupPrivilege	2096	wevtutil.exe
Token: SeSecurityPrivilege	5528	wevtutil.exe
Token: SeBackupPrivilege	5528	wevtutil.exe
Token: SeSecurityPrivilege	5556	wevtutil.exe
Token: SeBackupPrivilege	5556	wevtutil.exe
Token: SeSecurityPrivilege	5292	wevtutil.exe
Token: SeBackupPrivilege	5292	wevtutil.exe
Token: SeSecurityPrivilege	5212	wevtutil.exe
Token: SeBackupPrivilege	5212	wevtutil.exe
Token: SeSecurityPrivilege	3792	wevtutil.exe
Token: SeBackupPrivilege	3792	wevtutil.exe
Token: SeSecurityPrivilege	3864	wevtutil.exe
Token: SeBackupPrivilege	3864	wevtutil.exe
Token: SeSecurityPrivilege	2668	wevtutil.exe
Token: SeBackupPrivilege	2668	wevtutil.exe
Token: SeSecurityPrivilege	884	wevtutil.exe
Token: SeBackupPrivilege	884	wevtutil.exe
Token: SeSecurityPrivilege	5652	wevtutil.exe
Token: SeBackupPrivilege	5652	wevtutil.exe
Token: SeSecurityPrivilege	1980	wevtutil.exe
Token: SeBackupPrivilege	1980	wevtutil.exe
Token: SeSecurityPrivilege	5696	wevtutil.exe
Token: SeBackupPrivilege	5696	wevtutil.exe
Token: SeSecurityPrivilege	6088	wevtutil.exe
Token: SeBackupPrivilege	6088	wevtutil.exe
Token: SeSecurityPrivilege	5920	wevtutil.exe
Token: SeBackupPrivilege	5920	wevtutil.exe
Token: SeSecurityPrivilege	3168	wevtutil.exe
Token: SeBackupPrivilege	3168	wevtutil.exe
Token: SeSecurityPrivilege	5868	wevtutil.exe
Token: SeBackupPrivilege	5868	wevtutil.exe
Token: SeSecurityPrivilege	5648	wevtutil.exe
Token: SeBackupPrivilege	5648	wevtutil.exe
Token: SeSecurityPrivilege	5636	wevtutil.exe
Token: SeBackupPrivilege	5636	wevtutil.exe
Token: SeSecurityPrivilege	5396	wevtutil.exe
Token: SeBackupPrivilege	5396	wevtutil.exe
Token: SeSecurityPrivilege	5704	wevtutil.exe
Token: SeBackupPrivilege	5704	wevtutil.exe
Token: SeSecurityPrivilege	4340	wevtutil.exe
Token: SeBackupPrivilege	4340	wevtutil.exe
Token: SeSecurityPrivilege	2804	wevtutil.exe
Token: SeBackupPrivilege	2804	wevtutil.exe
Token: SeSecurityPrivilege	5280	wevtutil.exe
Token: SeBackupPrivilege	5280	wevtutil.exe
Token: SeSecurityPrivilege	5208	wevtutil.exe
Token: SeBackupPrivilege	5208	wevtutil.exe
Token: SeSecurityPrivilege	1568	wevtutil.exe
Token: SeBackupPrivilege	1568	wevtutil.exe
Token: SeSecurityPrivilege	5708	wevtutil.exe
Token: SeBackupPrivilege	5708	wevtutil.exe
Token: SeSecurityPrivilege	5776	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2128	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	31
PID 264 wrote to memory of 2128	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	31
PID 264 wrote to memory of 2128	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	31
PID 264 wrote to memory of 2128	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	31
PID 2128 wrote to memory of 2108	2128	cmd.exe	33
PID 2128 wrote to memory of 2108	2128	cmd.exe	33
PID 2128 wrote to memory of 2108	2128	cmd.exe	33
PID 2128 wrote to memory of 2108	2128	cmd.exe	33
PID 264 wrote to memory of 1640	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	36
PID 264 wrote to memory of 1640	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	36
PID 264 wrote to memory of 1640	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	36
PID 264 wrote to memory of 1640	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	36
PID 264 wrote to memory of 288	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	37
PID 264 wrote to memory of 288	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	37
PID 264 wrote to memory of 288	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	37
PID 264 wrote to memory of 288	264	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe	37
PID 288 wrote to memory of 2076	288	cmd.exe	39
PID 288 wrote to memory of 2076	288	cmd.exe	39
PID 288 wrote to memory of 2076	288	cmd.exe	39
PID 288 wrote to memory of 2076	288	cmd.exe	39
PID 2076 wrote to memory of 2872	2076	cmd.exe	40
PID 2076 wrote to memory of 2872	2076	cmd.exe	40
PID 2076 wrote to memory of 2872	2076	cmd.exe	40
PID 2076 wrote to memory of 2872	2076	cmd.exe	40
PID 288 wrote to memory of 3728	288	cmd.exe	41
PID 288 wrote to memory of 3728	288	cmd.exe	41
PID 288 wrote to memory of 3728	288	cmd.exe	41
PID 288 wrote to memory of 3728	288	cmd.exe	41
PID 288 wrote to memory of 2836	288	cmd.exe	42
PID 288 wrote to memory of 2836	288	cmd.exe	42
PID 288 wrote to memory of 2836	288	cmd.exe	42
PID 288 wrote to memory of 2836	288	cmd.exe	42
PID 288 wrote to memory of 5940	288	cmd.exe	43
PID 288 wrote to memory of 5940	288	cmd.exe	43
PID 288 wrote to memory of 5940	288	cmd.exe	43
PID 288 wrote to memory of 5940	288	cmd.exe	43
PID 288 wrote to memory of 5764	288	cmd.exe	44
PID 288 wrote to memory of 5764	288	cmd.exe	44
PID 288 wrote to memory of 5764	288	cmd.exe	44
PID 288 wrote to memory of 5764	288	cmd.exe	44
PID 288 wrote to memory of 2096	288	cmd.exe	45
PID 288 wrote to memory of 2096	288	cmd.exe	45
PID 288 wrote to memory of 2096	288	cmd.exe	45
PID 288 wrote to memory of 2096	288	cmd.exe	45
PID 288 wrote to memory of 5528	288	cmd.exe	46
PID 288 wrote to memory of 5528	288	cmd.exe	46
PID 288 wrote to memory of 5528	288	cmd.exe	46
PID 288 wrote to memory of 5528	288	cmd.exe	46
PID 288 wrote to memory of 5556	288	cmd.exe	47
PID 288 wrote to memory of 5556	288	cmd.exe	47
PID 288 wrote to memory of 5556	288	cmd.exe	47
PID 288 wrote to memory of 5556	288	cmd.exe	47
PID 288 wrote to memory of 5292	288	cmd.exe	48
PID 288 wrote to memory of 5292	288	cmd.exe	48
PID 288 wrote to memory of 5292	288	cmd.exe	48
PID 288 wrote to memory of 5292	288	cmd.exe	48
PID 288 wrote to memory of 5212	288	cmd.exe	49
PID 288 wrote to memory of 5212	288	cmd.exe	49
PID 288 wrote to memory of 5212	288	cmd.exe	49
PID 288 wrote to memory of 5212	288	cmd.exe	49
PID 288 wrote to memory of 3792	288	cmd.exe	50
PID 288 wrote to memory of 3792	288	cmd.exe	50
PID 288 wrote to memory of 3792	288	cmd.exe	50
PID 288 wrote to memory of 3792	288	cmd.exe	50

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe

C:\Users\Admin\AppData\Local\Temp\539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe
"C:\Users\Admin\AppData\Local\Temp\539b0b5d54757e8a2b754ecdc2939eb7cf9db0ed1728e0eca407500222668505.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows /all
    3⤵
    - Interacts with shadow copies
    PID:2108
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\How To Restore Files.txt
  2⤵
  PID:1640
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\cllog.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:6012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:6008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:5820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:6056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:5988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:6136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:5576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:5804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:5952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:5160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:5176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:5156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:5332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:5336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:5028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    - Clears Windows event logs
    PID:5808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:6128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:5540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    - Clears Windows event logs
    PID:5660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:4380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:5772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:5904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:3744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:4972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:3548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:5348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:6016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:4784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:3828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:3956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:5000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:3948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:5968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:4404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:5892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:2856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:5896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:3748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:3928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:4452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:4108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:3420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:2224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:2376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:4712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:5464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:3492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:3484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:3716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:3292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:4916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:1144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:4148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:3564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:6080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:4212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:5520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:4704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:5220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:5268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:5592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:3428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:4156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:5720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:5292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:5212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:5912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:5916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:5656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:5672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:5364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:5760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:2652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:6024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:4360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:6048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:3152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:5972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:5584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:5832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:6000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:5340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:5376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:5744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:6112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:5544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:6036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:3104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:5888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:5732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:3464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:6120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:3320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:3444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:5692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:3624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:5304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\cllog.bat" "
  2⤵
  PID:5008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:4636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:4732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:3920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    PID:5508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:3512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:4828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:1660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:3808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:5308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:3324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:3516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:6076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:3812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    - Clears Windows event logs
    PID:1272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:2552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:5408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:4800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:5676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:5640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:5920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:5624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:5396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:5628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:4860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:3784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:5296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:3200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:5828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:6052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:5128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:5860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:5796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:4408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:3260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:4936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:5816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:5936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:5992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:5172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:4188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:5792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:4200
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:3124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:3184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    - Clears Windows event logs
    PID:5544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:3820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:5608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:5244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:4352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    - Clears Windows event logs
    PID:4656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:2608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:4172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:5420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:3932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:3408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:5048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:3888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:3340
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:5192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:5148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:5284
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:4044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:3672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:5112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:1584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:3140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:5424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:5940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:5556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:5372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:5696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:5868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:5704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:5240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    - Clears Windows event logs
    PID:2864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:5980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    - Clears Windows event logs
    PID:5884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:5836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:5280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:5856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:4032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:5956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:4240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:6044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:3236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:4456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:4184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:4000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:6100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:3356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:5448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:4500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:3256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:5924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    - Clears Windows event logs
    PID:2884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:4336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:3316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:4728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:2824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:5196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:6108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:3752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:3580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:5388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:2380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:5564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:3588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:4740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:3416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:5480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:4748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:4296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:5084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:5468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:3344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:4084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:4732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:3360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:5256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:4428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:1916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:5444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:4176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:3904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:5316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:5204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:4312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:2552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:4844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:3472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:5484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:3244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    - Clears Windows event logs
    PID:4564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:5528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:3612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:1540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:5516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:1980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:5880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:4624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:5636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:3776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:5208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:1568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:5768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:4840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:1516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:3448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:5752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:5728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    PID:4676
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:3704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:4056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:6092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:5460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:5588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\cllog.bat" "
  2⤵
  PID:5804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:3308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    PID:804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    PID:5884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:4548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:5488
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:5764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:5012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:5168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:5632
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:5652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:5932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:5356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3290804112-2823094203-3137964600-1000\desktop.ini

Filesize
1KB

MD5
23c5e48c29ba6f1828faa074c6a30b52

SHA1
55770a24eb7a9c652c172c492aae94bd609ae14f

SHA256
319f373ce46e426bcbdd3e531f670020889732f95cae121b8136ef43a78587f0

SHA512
859a1e7e0a2a653fc5de1f578a8ac3ca259f02180b8ca11747b1dd30a2f72fdc92c6d28ab9866f6e18008aab9af4f668c903cae586af679c1dc688f7c9fad294

Download Submit
C:\Program Files\How To Restore Files.txt

Filesize
493B

MD5
04aabbbb5207b93b2aaa47ca34214ce8

SHA1
f8d4ae54bb55b6ff476b53ecaec2ebaad58030bf

SHA256
bd4fd7ff32f69dff7cfb7b9c00fdfbb53fddeb77406fa0637d250beb21677683

SHA512
3043eb2a521947b12671d06585e706cca419f9ed7b44b8083e4ad769c5829effca134ee39f66b112fa1161e48f61daad01dc40c231160ec3ef9f498bfda7115d

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn id-8xBJeQ4417S7D8p3.BDKR

Filesize
1KB

MD5
a61b273e80e95e8f172f3d702be80260

SHA1
c15389558a059eed18cb75452fefa8f34a764feb

SHA256
92133af294b3813a4269bf912bc6544bec58dde180e74ed3803ff1984eef035d

SHA512
0c72a8f4f399440441a868cafc26a827aa837471abe995a880471e17e46d230ec4fdf320b3e330816aa38b747021b2c7ea67e22015036de3a703422c3f6da3e9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W id-8xBJeQ4417S7D8p3.BDKR

Filesize
232KB

MD5
b21d76433209b942648517a674e8662b

SHA1
3174493f93dd2e98173f604e8ba4f37222157547

SHA256
aa36d1192b0e94db0534d634e0eed24f0f3182dda150c7ef7c538bf18a441269

SHA512
0de2a45e2aee376c8c680af52a2d693550ea73d0a69c2fb9af17cb0c4f05d21192fbb5c009324eafbc37765e924388d52eb819590762ab0a3b6ecae2e2617ac9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H id-8xBJeQ4417S7D8p3.BDKR

Filesize
355KB

MD5
f3e55b2b14107ac4d7eb8a218612d90a

SHA1
5a11516df99df4898a68d4672c7b7b18b72975a6

SHA256
c3487e36edcf059fbeb9710f2111190c009c06027de9ce101a23f88960e329ca

SHA512
f0455c3d8dee69918ca4f62a73f89daf4603f8e310c10e25f36204cc2caf787248f1e8be4bd346d296a58d954f4f6f640ce3daa57de008a5348c3a25e26522e5

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm id-8xBJeQ4417S7D8p3.BDKR

Filesize
2KB

MD5
8624b2af1a20cebf29b2de7df7ce5cfd

SHA1
43020016a6ec991b80cbc1a163b06e08907f2d8c

SHA256
d360b0feee9687b15a4752cb2b3f15a41ffc8af338e1afd73c4e73aa539ae742

SHA512
9cc5e5d1c4e9b7bc6cec5798613dbf5c258c020b3d0082d3fc24ff09133e7b7819a77406ed6e8d23177f8088bd476a68d3b2e5e4ddbcc82f1c6f7e1b3f96403b

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi id-8xBJeQ4417S7D8p3.BDKR

Filesize
143KB

MD5
83f5949deb290873981855957253d9a2

SHA1
a5e8c0e60a3d58a041c389c377ee81c3805f696c

SHA256
1d5d8f88db369de17b978b066cf11c2355244b00392bbc910acc842725fa38ad

SHA512
882feb3e24b60dfeeb08e9b46c1b85d133886cfecb3460344a43f180b63d1f99c58d97c86c5849e364998dde8737ba0269cd73d7fb7a29ca9fe2e1634ae1f7c9

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi id-8xBJeQ4417S7D8p3.BDKR

Filesize
143KB

MD5
a3a72b37a7cff0137419a112005b7480

SHA1
66556cb75dbd6980a31c86f4908124d56156dd16

SHA256
df31eb1322dc5f04c7efdfc3d59549a9c31652ac319b6ab85863c1693e993a0c

SHA512
fa6aaf048ac91292c779417b38f8ff3aa2cc79eb28049547faf20c475273860bc238979f6be5b5c3a4d16ab664638cadc4dbdfaca895a1a9759bf7d8073d302a

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\vc_runtimeMinimum_x86.msi id-8xBJeQ4417S7D8p3.BDKR

Filesize
183KB

MD5
6003a0fe5e2439f146bec5fb02377a7b

SHA1
3c8564c23346571b93b464573fe31cb417e79ce2

SHA256
8a34b187a13982be47c508b0249201a880fdc2dfc34e73096747e89d4a30ded4

SHA512
629703914f217086b26ee05b27c1e5c10f0c7a85329aea43102f861e27310edc6fa4bc3dde718dd03a32f82a8bb976f0cefb0a70f93ea5a58842b13697f8b0c4

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm id-8xBJeQ4417S7D8p3.BDKR

Filesize
3KB

MD5
7ecfbb891c8cb027d609ba00801683f9

SHA1
c7d71dfd1dbe8bacb85d750f231ded5044220295

SHA256
18f6fc9a07e07f3854064046d184c8a6c84f1177f77ec934a2f7b995ba8bf803

SHA512
ffaa9bc8c06225e83677e818502b1645ec1e935afbd610c0efc8f9df71a01ec4a3e37b57d8e98623a6852553fdbbe3ca661a07a32bf707eb67bfb2461c519092

Download Submit
C:\Windows\cllog.bat

Filesize
166B

MD5
c3322041ca54a67a1f3108f5c558ada5

SHA1
4a15fd1570ca2adf8c478f8a6baed5444d6c7d9d

SHA256
0c632d77298ee5c0dfd96ead16883ffb16c4efc36b2ba5bd5a72d1e7c6cefb5f

SHA512
614d1be590b15314c8e076215b5c0307f969ffbae56933cd1fb738b8517e6e4986c99d6a247b3373cabce5314468b5ae36c2d80c2991a1d03a90ea2b3a0efce6

Download Submit
memory/264-6773-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download