6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe
Size

54KB
MD5

c0c56f310160cb211e7e69fdf24bee43
SHA1

6279cf3d1e370444950b2c694f16e3bd7c8ec969
SHA256

6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f
SHA512

28402f4a022a0d0172ea0547011e9f344f687259f94f857a2250e916f3e83095f46d4f199fb112a10cdca7126f7cf640571595b301ef0e9e374ed067577cf572
SSDEEP

768:U+hvPV2e5loa5VIz3+hNbPQNg6OHPSnGoVrtqkql6bcIwC9t+St+:vkoi3+vPQNg6OHPCGyRq56b3hU

Score

9^/10

defense_evasion discovery evasion persistence ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2976	wevtutil.exe
2320	wevtutil.exe
2464	wevtutil.exe
1588	wevtutil.exe
812	wevtutil.exe
900	Process not Found
2928	wevtutil.exe
1036	wevtutil.exe
1740	wevtutil.exe
1440	wevtutil.exe
3052	wevtutil.exe
988	wevtutil.exe
2576	wevtutil.exe
2588	wevtutil.exe
1064	wevtutil.exe
1240	wevtutil.exe
2820	wevtutil.exe
1996	wevtutil.exe
2336	wevtutil.exe
576	wevtutil.exe
2328	Process not Found
2856	Process not Found
592	wevtutil.exe
2400	wevtutil.exe
2908	wevtutil.exe
2960	wevtutil.exe
2352	wevtutil.exe
1272	Process not Found
2376	wevtutil.exe
1576	wevtutil.exe
2668	wevtutil.exe
768	wevtutil.exe
2620	wevtutil.exe
2460	wevtutil.exe
2624	wevtutil.exe
2264	wevtutil.exe
2064	wevtutil.exe
276	wevtutil.exe
1232	wevtutil.exe
1264	wevtutil.exe
2412	wevtutil.exe
3040	wevtutil.exe
2784	wevtutil.exe
1708	wevtutil.exe
1592	Process not Found
812	wevtutil.exe
320	wevtutil.exe
3060	wevtutil.exe
1676	wevtutil.exe
2936	wevtutil.exe
788	wevtutil.exe
2300	wevtutil.exe
2184	wevtutil.exe
2376	wevtutil.exe
1256	wevtutil.exe
3064	wevtutil.exe
108	wevtutil.exe
2376	wevtutil.exe
2028	wevtutil.exe
1108	wevtutil.exe
2588	wevtutil.exe
2280	wevtutil.exe
1168	wevtutil.exe
616	wevtutil.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	cleanmgr.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Power Settings 1 TTPs 2 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
316	cmd.exe
2108	wevtutil.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1768	cleanmgr.exe
Token: SeSecurityPrivilege	1572	wevtutil.exe
Token: SeBackupPrivilege	1572	wevtutil.exe
Token: SeSecurityPrivilege	3004	wevtutil.exe
Token: SeBackupPrivilege	3004	wevtutil.exe
Token: SeSecurityPrivilege	2684	wevtutil.exe
Token: SeBackupPrivilege	2684	wevtutil.exe
Token: SeSecurityPrivilege	2792	wevtutil.exe
Token: SeBackupPrivilege	2792	wevtutil.exe
Token: SeSecurityPrivilege	2852	wevtutil.exe
Token: SeBackupPrivilege	2852	wevtutil.exe
Token: SeSecurityPrivilege	2804	wevtutil.exe
Token: SeBackupPrivilege	2804	wevtutil.exe
Token: SeSecurityPrivilege	2756	wevtutil.exe
Token: SeBackupPrivilege	2756	wevtutil.exe
Token: SeSecurityPrivilege	2532	wevtutil.exe
Token: SeBackupPrivilege	2532	wevtutil.exe
Token: SeSecurityPrivilege	2576	wevtutil.exe
Token: SeBackupPrivilege	2576	wevtutil.exe
Token: SeSecurityPrivilege	2928	wevtutil.exe
Token: SeBackupPrivilege	2928	wevtutil.exe
Token: SeSecurityPrivilege	2476	wevtutil.exe
Token: SeBackupPrivilege	2476	wevtutil.exe
Token: SeSecurityPrivilege	2572	wevtutil.exe
Token: SeBackupPrivilege	2572	wevtutil.exe
Token: SeSecurityPrivilege	2220	wevtutil.exe
Token: SeBackupPrivilege	2220	wevtutil.exe
Token: SeSecurityPrivilege	2820	wevtutil.exe
Token: SeBackupPrivilege	2820	wevtutil.exe
Token: SeSecurityPrivilege	1244	wevtutil.exe
Token: SeBackupPrivilege	1244	wevtutil.exe
Token: SeSecurityPrivilege	2388	wevtutil.exe
Token: SeBackupPrivilege	2388	wevtutil.exe
Token: SeSecurityPrivilege	2416	wevtutil.exe
Token: SeBackupPrivilege	2416	wevtutil.exe
Token: SeSecurityPrivilege	484	wevtutil.exe
Token: SeBackupPrivilege	484	wevtutil.exe
Token: SeSecurityPrivilege	1672	wevtutil.exe
Token: SeBackupPrivilege	1672	wevtutil.exe
Token: SeSecurityPrivilege	1708	wevtutil.exe
Token: SeBackupPrivilege	1708	wevtutil.exe
Token: SeSecurityPrivilege	1148	wevtutil.exe
Token: SeBackupPrivilege	1148	wevtutil.exe
Token: SeSecurityPrivilege	2520	wevtutil.exe
Token: SeBackupPrivilege	2520	wevtutil.exe
Token: SeSecurityPrivilege	1204	wevtutil.exe
Token: SeBackupPrivilege	1204	wevtutil.exe
Token: SeSecurityPrivilege	320	wevtutil.exe
Token: SeBackupPrivilege	320	wevtutil.exe
Token: SeSecurityPrivilege	2312	wevtutil.exe
Token: SeBackupPrivilege	2312	wevtutil.exe
Token: SeSecurityPrivilege	836	wevtutil.exe
Token: SeBackupPrivilege	836	wevtutil.exe
Token: SeSecurityPrivilege	2620	wevtutil.exe
Token: SeBackupPrivilege	2620	wevtutil.exe
Token: SeSecurityPrivilege	2460	wevtutil.exe
Token: SeBackupPrivilege	2460	wevtutil.exe
Token: SeSecurityPrivilege	816	wevtutil.exe
Token: SeBackupPrivilege	816	wevtutil.exe
Token: SeSecurityPrivilege	2716	wevtutil.exe
Token: SeBackupPrivilege	2716	wevtutil.exe
Token: SeSecurityPrivilege	812	wevtutil.exe
Token: SeBackupPrivilege	812	wevtutil.exe
Token: SeSecurityPrivilege	768	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2376	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	31
PID 2068 wrote to memory of 2376	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	31
PID 2068 wrote to memory of 2376	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	31
PID 2068 wrote to memory of 2376	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	31
PID 2068 wrote to memory of 2160	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	33
PID 2068 wrote to memory of 2160	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	33
PID 2068 wrote to memory of 2160	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	33
PID 2068 wrote to memory of 2160	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	33
PID 2068 wrote to memory of 800	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	35
PID 2068 wrote to memory of 800	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	35
PID 2068 wrote to memory of 800	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	35
PID 2068 wrote to memory of 800	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	35
PID 2068 wrote to memory of 1612	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	37
PID 2068 wrote to memory of 1612	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	37
PID 2068 wrote to memory of 1612	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	37
PID 2068 wrote to memory of 1612	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	37
PID 2068 wrote to memory of 1636	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	39
PID 2068 wrote to memory of 1636	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	39
PID 2068 wrote to memory of 1636	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	39
PID 2068 wrote to memory of 1636	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	39
PID 2068 wrote to memory of 1640	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	41
PID 2068 wrote to memory of 1640	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	41
PID 2068 wrote to memory of 1640	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	41
PID 2068 wrote to memory of 1640	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	41
PID 2068 wrote to memory of 2424	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	43
PID 2068 wrote to memory of 2424	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	43
PID 2068 wrote to memory of 2424	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	43
PID 2068 wrote to memory of 2424	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	43
PID 2068 wrote to memory of 572	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	45
PID 2068 wrote to memory of 572	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	45
PID 2068 wrote to memory of 572	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	45
PID 2068 wrote to memory of 572	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	45
PID 2068 wrote to memory of 2312	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	47
PID 2068 wrote to memory of 2312	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	47
PID 2068 wrote to memory of 2312	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	47
PID 2068 wrote to memory of 2312	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	47
PID 2068 wrote to memory of 536	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	49
PID 2068 wrote to memory of 536	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	49
PID 2068 wrote to memory of 536	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	49
PID 2068 wrote to memory of 536	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	49
PID 2068 wrote to memory of 2164	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	51
PID 2068 wrote to memory of 2164	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	51
PID 2068 wrote to memory of 2164	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	51
PID 2068 wrote to memory of 2164	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	51
PID 2068 wrote to memory of 2624	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	53
PID 2068 wrote to memory of 2624	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	53
PID 2068 wrote to memory of 2624	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	53
PID 2068 wrote to memory of 2624	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	53
PID 2068 wrote to memory of 2712	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	55
PID 2068 wrote to memory of 2712	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	55
PID 2068 wrote to memory of 2712	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	55
PID 2068 wrote to memory of 2712	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	55
PID 2068 wrote to memory of 408	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	57
PID 2068 wrote to memory of 408	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	57
PID 2068 wrote to memory of 408	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	57
PID 2068 wrote to memory of 408	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	57
PID 2068 wrote to memory of 1108	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	59
PID 2068 wrote to memory of 1108	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	59
PID 2068 wrote to memory of 1108	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	59
PID 2068 wrote to memory of 1108	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	59
PID 2068 wrote to memory of 1916	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	61
PID 2068 wrote to memory of 1916	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	61
PID 2068 wrote to memory of 1916	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	61
PID 2068 wrote to memory of 1916	2068	6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe	61

C:\Users\Admin\AppData\Local\Temp\6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe
"C:\Users\Admin\AppData\Local\Temp\6aa986b1611fd71775e14011ce0f4c41282953c46f8a17d9bea89072a383440f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%temp%\*.*"
  2⤵
  PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%WINDIR%\temp\*.*"
  2⤵
  PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c FOR /D %p IN ("%WINDIR%\temp\*") DO rmdir /s /q "%p"
  2⤵
  PID:800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%USERPROFILE%\Downloads\*.*"
  2⤵
  PID:1612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%USERPROFILE%\AppData\Local\Temporary Internet Files\*.*"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Windows\Logs\CBS\*.*"
  2⤵
  PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\swtools\*.*"
  2⤵
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\drivers\*.*"
  2⤵
  PID:572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\swsetup\"
  2⤵
  PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Windows\Prefetch\"
  2⤵
  PID:536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%SystemRoot%\Minidump\*.dmp"
  2⤵
  PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%SystemRoot%\Memory.dmp"
  2⤵
  PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%LOCALAPPDATA%\CrashDumps\*.dmp"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%PROGRAMDATA%\Microsoft\Windows\WER\ReportArchive\*.*dmp"
  2⤵
  PID:408
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%PROGRAMDATA%\Microsoft\Windows\WER\ReportQueue\*.*dmp"
  2⤵
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%PROGRAMDATA%\Diebold\Harvester\logs\*.log"
  2⤵
  PID:1916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%PROGRAMDATA%\DieboldNixdorf\packages\*.*"
  2⤵
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%USERPROFILE%\AppData\local\Microsoft\Windows\WER\ReportArchive\*.*dmp"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%USERPROFILE%\AppData\local\Microsoft\Windows\WER\ReportQueue\*.*dmp"
  2⤵
  PID:904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\LOG\*.*"
  2⤵
  PID:1616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\*.hprof"
  2⤵
  PID:1332
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\hs_err_pid*.log"
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\FIB_1\*.*"
  2⤵
  PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\LOG_1\*.*"
  2⤵
  PID:276
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis TPM Utilities\logs\*.log"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\TEK\logs\*.*"
  2⤵
  PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\TrouSerS\*.*"
  2⤵
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis TPM Utilities\logs\*.log"
  2⤵
  PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\TEK\logs\*.*"
  2⤵
  PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\TrouSerS\*.*"
  2⤵
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%AIUROOT%\logs\Archive\*.*"
  2⤵
  PID:304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\TrouSerS\*.*"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\INVENTORY\*.*"
  2⤵
  PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\diagserv\data\*.*"
  2⤵
  PID:2796
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\diagserv\log\*.*"
  2⤵
  PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\diagserv\plugins\configuration\*.*"
  2⤵
  PID:2652
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\diagserv\temp\*.*"
  2⤵
  PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\diagserv\bin\*.hprof"
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\RM4H\rm4h_certs.bin"
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\RM4H_0\*.*"
  2⤵
  PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\SELV5_CRS_0\*.*"
  2⤵
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\logs\*.*"
  2⤵
  PID:1048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\firmware\*.*"
  2⤵
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\XFS_RM4H_0\*.*"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\DBD_MODULES\RM4V\GDF\*.GDF"
  2⤵
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\CMDV6C\cmd_v6c_certs.bin"
  2⤵
  PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c copy "%CSCROOT%\CONF\CMDV6_0\simulatedNoteTable.conf" C:\Agilis
  2⤵
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\CMDV6_0\*.*"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c move C:\Agilis\simulatedNoteTable.conf "%CSCROOT%\CONF\CMDV6_0\"
  2⤵
  PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\XFS_CMDV6C_0\*.*"
  2⤵
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\RM3_CRS_0\*.*"
  2⤵
  PID:616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\SELV5_CRS_0\*.*"
  2⤵
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\channelkeys.ubr"
  2⤵
  PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\securechannel.ubr"
  2⤵
  PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c copy "%CSCROOT%\CONF\RM3_ATM_0\simulatedNoteTable.conf" C:\Agilis
  2⤵
  PID:836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\RM3_ATM_0\*.*"
  2⤵
  PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c move C:\Agilis\simulatedNoteTable.conf "%CSCROOT%\CONF\RM3_ATM_0\"
  2⤵
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\SELV5_ATM_0\*.*"
  2⤵
  PID:156
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\WfsCashUnits.bak"
  2⤵
  PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\WfsCashUnits.xml"
  2⤵
  PID:444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\WfsCdmPresentStatus.bak"
  2⤵
  PID:812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\WfsCdmPresentStatus.xml"
  2⤵
  PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\WfsCimCashInStatus.bak"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\WfsCimCashInStatus.xml"
  2⤵
  PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\securechannel_cmd.ubr"
  2⤵
  PID:788
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\RM3_CCDM_0\*.*"
  2⤵
  PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_CashUnitMemory.bak"
  2⤵
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_CashUnitMemory.xml"
  2⤵
  PID:1360
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsCimCashInStatus.bak"
  2⤵
  PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsCimCashInStatus.xml"
  2⤵
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsIpmMediaBinInfo.bak"
  2⤵
  PID:1040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsIpmMediaBinInfo.xml"
  2⤵
  PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsIpmStatus.bak"
  2⤵
  PID:1852
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsIpmStatus.xml"
  2⤵
  PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsIpmTransStatus.bak"
  2⤵
  PID:352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_WfsIpmTransStatus.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_SupplyReplenMem.bak"
  2⤵
  PID:316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\Ccdm_SupplyReplenMem.xml"
  2⤵
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\CONF\*.dat"
  2⤵
  PID:2764
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\tpm\restorelog.txt"
  2⤵
  PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\log\tpm\*.*"
  2⤵
  PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\TpmStatus.xml"
  2⤵
  PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\KEYSTORE\tcsc\*.*"
  2⤵
  PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%CSCROOT%\VIDEO\log\*.*"
  2⤵
  PID:2580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\Security\TPM\*.*"
  2⤵
  PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\sbxlog\*.*"
  2⤵
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\sbx\*.*"
  2⤵
  PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\sbxarchives\*.*"
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\logs\*.*"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\vcs\logs\*.*"
  2⤵
  PID:1048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\EDC\EDCLocal.dat"
  2⤵
  PID:2152
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\Archive\*.*"
  2⤵
  PID:356
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\WinSetup\MS_FOD\*.*"
  2⤵
  PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Diebold\WinSetup\MS_Updates\Updates-x64\*.*"
  2⤵
  PID:636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\ABC\message.trc"
  2⤵
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis EmPower\Local\Netdata\FITtable.xml"
  2⤵
  PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis EmPower\Local\Netdata\States\States.xml"
  2⤵
  PID:1716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis EmPower\States\*.*"
  2⤵
  PID:988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis EmPower\Local\Netdata\FITtable.xml"
  2⤵
  PID:1220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis EmPower\Local\Netdata\States\States.xml"
  2⤵
  PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis EmPower\States\*.*"
  2⤵
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\ABC\message.trc"
  2⤵
  PID:1636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis EmPower\PrintOutput\*.*"
  2⤵
  PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis EmPower\PrintOutput\*.*"
  2⤵
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\AMI\AMITRACE\*.*"
  2⤵
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\AMI\AMITRACE\*.*"
  2⤵
  PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis EmPower\Config\ExCICounts.xml"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles(x86)%\Diebold\Agilis EmPower\Config\FaulHistory.dat"
  2⤵
  PID:956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis EmPower\Config\ExCICounts.xml"
  2⤵
  PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%ProgramFiles%\Diebold\Agilis EmPower\Config\FaulHistory.dat"
  2⤵
  PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c trcwclr error
  2⤵
  PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c trcwclr trace
  2⤵
  PID:1748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q "%systemdrive%\Agilis\Logs\*.*"
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c cleanmgr.exe /s /q /sagerun
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\cleanmgr.exe
    cleanmgr.exe /s /q /sagerun
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c del /s /q %systemdrive%\$Recycle.bin
  2⤵
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe el
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe el
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Analytic
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Analytic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Application
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Application
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl DebugChannel
  2⤵
  PID:304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl DebugChannel
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl DirectShowFilterGraph
  2⤵
  PID:156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl DirectShowFilterGraph
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl DirectShowPluginControl
  2⤵
  PID:1916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl DirectShowPluginControl
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Els_Hyphenation/Analytic
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Els_Hyphenation/Analytic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl EndpointMapper
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl EndpointMapper
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl ForwardedEvents
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl ForwardedEvents
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl HardwareEvents
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl HardwareEvents
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Internet Explorer
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Internet Explorer
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Key Management Service
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Key Management Service
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl MF_MediaFoundationDeviceProxy
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl MF_MediaFoundationDeviceProxy
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Media Center
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2848
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Media Center
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl MediaFoundationDeviceProxy
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl MediaFoundationDeviceProxy
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl MediaFoundationPerformance
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl MediaFoundationPerformance
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl MediaFoundationPipeline
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl MediaFoundationPipeline
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl MediaFoundationPlatform
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl MediaFoundationPlatform
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-IE/Diagnostic
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-IE/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-IEDVTOOL/Diagnostic
  2⤵
  PID:400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-IEDVTOOL/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-IEFRAME/Diagnostic
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-IEFRAME/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-JSDumpHeap/Diagnostic
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-PerfTrack-IEFRAME/Diagnostic
  2⤵
  PID:592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-PerfTrack-MSHTML/Diagnostic
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ADSI/Debug
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ADSI/Debug
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-API-Tracing/Operational
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-API-Tracing/Operational
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ATAPort/General
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ATAPort/General
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ATAPort/SATA-LPM
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ActionQueue/Analytic
  2⤵
  PID:2456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-AltTab/Diagnostic
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-AltTab/Diagnostic
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-AppID/Operational
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-AppID/Operational
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-AppLocker/EXE and DLL
  2⤵
  PID:444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-AppLocker/EXE and DLL
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-AppLocker/MSI and Script
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-AppLocker/MSI and Script
    3⤵
    PID:692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Admin
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Admin
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Analytic
  2⤵
  PID:868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Analytic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Debug
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Debug
    3⤵
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Operational
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application Server-Applications/Operational
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application-Experience/Problem-Steps-Recorder
  2⤵
  PID:608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application-Experience/Problem-Steps-Recorder
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Inventory
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    - Clears Windows event logs
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Inventory/Debug
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Inventory/Debug
    3⤵
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Telemetry
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    - Clears Windows event logs
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Audio/CaptureMonitor
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Audio/Operational
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Audio/Performance
  2⤵
  PID:380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Audio/Performance
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Audit/Analytic
  2⤵
  PID:584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Audit/Analytic
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Authentication User Interface/Operational
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Authentication User Interface/Operational
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-AxInstallService/Log
  2⤵
  PID:2692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-AxInstallService/Log
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Backup
  2⤵
  PID:352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Backup
    3⤵
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Biometrics/Operational
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Biometrics/Operational
    3⤵
    PID:1852
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    3⤵
    - Clears Windows event logs
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Bits-Client/Analytic
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Bits-Client/Analytic
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Bits-Client/Operational
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Bits-Client/Operational
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BranchCache/Operational
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BranchCache/Operational
    3⤵
    PID:2924
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BranchCacheSMB/Analytic
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BranchCacheSMB/Analytic
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-BranchCacheSMB/Operational
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-BranchCacheSMB/Operational
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CAPI2/Operational
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CAPI2/Operational
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CDROM/Operational
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CDROM/Operational
    3⤵
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-COM/Analytic
  2⤵
  PID:800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-COM/Analytic
    3⤵
    - Clears Windows event logs
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-COMRuntime/Tracing
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-COMRuntime/Tracing
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Calculator/Debug
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Calculator/Debug
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Calculator/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Calculator/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CertPoleEng/Operational
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CertPoleEng/Operational
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
    3⤵
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CmiSetup/Analytic
  2⤵
  PID:988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CmiSetup/Analytic
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CodeIntegrity/Operational
  2⤵
  PID:112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CodeIntegrity/Operational
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CodeIntegrity/Verbose
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CodeIntegrity/Verbose
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ComDlg32/Analytic
  2⤵
  PID:1696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ComDlg32/Analytic
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ComDlg32/Debug
  2⤵
  PID:2192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ComDlg32/Debug
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
  2⤵
  PID:1788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
    3⤵
    - Clears Windows event logs
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-CredUI/Diagnostic
  2⤵
  PID:2712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-CredUI/Diagnostic
    3⤵
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Crypto-RNG/Analytic
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Crypto-RNG/Analytic
    3⤵
    - Clears Windows event logs
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-D3D10Level9/Analytic
  2⤵
  PID:2292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-D3D10Level9/Analytic
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-D3D10Level9/PerfTiming
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-D3D10Level9/PerfTiming
    3⤵
    - Clears Windows event logs
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DCLocator/Debug
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DCLocator/Debug
    3⤵
    - Clears Windows event logs
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DNS-Client/Operational
  2⤵
  PID:840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DNS-Client/Operational
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DUI/Diagnostic
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DUI/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DUSER/Diagnostic
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DUSER/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DXGI/Analytic
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DXGI/Analytic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DXGI/Logging
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DXGI/Logging
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DXP/Analytic
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DXP/Analytic
    3⤵
    PID:2052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DateTimeControlPanel/Analytic
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DateTimeControlPanel/Analytic
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DateTimeControlPanel/Debug
  2⤵
  PID:276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DateTimeControlPanel/Debug
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DateTimeControlPanel/Operational
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DateTimeControlPanel/Operational
    3⤵
    PID:892
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Deplorch/Analytic
  2⤵
  PID:900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Deplorch/Analytic
    3⤵
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DeviceSync/Analytic
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DeviceSync/Analytic
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DeviceSync/Operational
  2⤵
  PID:2916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DeviceSync/Operational
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DeviceUx/Informational
  2⤵
  PID:2768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DeviceUx/Informational
    3⤵
    - Clears Windows event logs
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DeviceUx/Performance
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DeviceUx/Performance
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Dhcp-Client/Admin
  2⤵
  PID:2764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Dhcp-Client/Admin
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Dhcp-Client/Operational
  2⤵
  PID:2852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Dhcp-Client/Operational
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DhcpNap/Admin
  2⤵
  PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DhcpNap/Admin
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DhcpNap/Operational
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DhcpNap/Operational
    3⤵
    - Clears Windows event logs
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Dhcpv6-Client/Admin
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Dhcpv6-Client/Admin
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Dhcpv6-Client/Operational
  2⤵
  PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Dhcpv6-Client/Operational
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DiagCpl/Debug
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DiagCpl/Debug
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-DPS/Analytic
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-DPS/Analytic
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-DPS/Debug
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-DPS/Debug
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-DPS/Operational
  2⤵
  PID:2580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-DPS/Operational
    3⤵
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-MSDE/Debug
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-MSDE/Debug
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-PCW/Analytic
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-PCW/Analytic
    3⤵
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-PCW/Debug
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-PCW/Debug
    3⤵
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-PCW/Operational
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-PCW/Operational
    3⤵
    - Clears Windows event logs
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-PLA/Debug
  2⤵
  PID:800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-PLA/Debug
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-PLA/Operational
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-PLA/Operational
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
    3⤵
    PID:1432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-Scheduled/Operational
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-Scheduled/Operational
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Admin
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Admin
    3⤵
    PID:1204
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Analytic
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Analytic
    3⤵
    - Clears Windows event logs
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Debug
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Debug
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Operational
  2⤵
  PID:536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-Scripted/Operational
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
    3⤵
    - Clears Windows event logs
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-TaskManager/Debug
  2⤵
  PID:2248
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-TaskManager/Debug
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-WDC/Analytic
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-WDC/Analytic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnosis-WDI/Debug
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnosis-WDI/Debug
    3⤵
    PID:1316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-Networking/Debug
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-Networking/Debug
    3⤵
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-Networking/Operational
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-Networking/Operational
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
  2⤵
  PID:992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
    3⤵
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
    3⤵
    PID:948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance/Operational
  2⤵
  PID:840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Diagnostics-Performance/Operational
    3⤵
    PID:876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Direct3D10/Analytic
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Direct3D10/Analytic
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Direct3D10_1/Analytic
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Direct3D10_1/Analytic
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Direct3D11/Analytic
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Direct3D11/Analytic
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Direct3D11/Logging
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Direct3D11/Logging
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Direct3D11/PerfTiming
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Direct3D11/PerfTiming
    3⤵
    - Clears Windows event logs
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DirectShow-KernelSupport/Performance
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DirectShow-KernelSupport/Performance
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DirectSound/Debug
  2⤵
  PID:276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DirectSound/Debug
    3⤵
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DirectWrite-FontCache/Tracing
  2⤵
  PID:2136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DirectWrite-FontCache/Tracing
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DirectWrite/Tracing
  2⤵
  PID:2912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DirectWrite/Tracing
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Disk/Operational
  2⤵
  PID:2024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Disk/Operational
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DiskDiagnostic/Operational
  2⤵
  PID:2132
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DiskDiagnostic/Operational
    3⤵
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DiskDiagnosticResolver/Operational
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DiskDiagnosticResolver/Operational
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DisplayColorCalibration/Debug
  2⤵
  PID:1852
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DisplayColorCalibration/Debug
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DisplayColorCalibration/Operational
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DisplayColorCalibration/Operational
    3⤵
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DisplaySwitch/Diagnostic
  2⤵
  PID:2728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DisplaySwitch/Diagnostic
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Documents/Performance
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Documents/Performance
    3⤵
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
    3⤵
    PID:2564
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DxgKrnl/Diagnostic
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DxgKrnl/Diagnostic
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DxgKrnl/Performance
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DxgKrnl/Performance
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DxpTaskRingtone/Analytic
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DxpTaskRingtone/Analytic
    3⤵
    PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
  2⤵
  PID:1060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EFS/Debug
  2⤵
  PID:328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EFS/Debug
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EapHost/Analytic
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EapHost/Analytic
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EapHost/Debug
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EapHost/Debug
    3⤵
    - System Location Discovery: System Language Discovery
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EapHost/Operational
  2⤵
  PID:2388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EapHost/Operational
    3⤵
    - Clears Windows event logs
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EaseOfAccess/Diagnostic
  2⤵
  PID:2416
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EaseOfAccess/Diagnostic
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EventCollector/Debug
  2⤵
  PID:800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EventCollector/Debug
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EventCollector/Operational
  2⤵
  PID:2100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EventCollector/Operational
    3⤵
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EventLog-WMIProvider/Debug
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EventLog-WMIProvider/Debug
    3⤵
    - Clears Windows event logs
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EventLog/Analytic
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EventLog/Analytic
    3⤵
    - Clears Windows event logs
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-EventLog/Debug
  2⤵
  PID:2428
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-EventLog/Debug
    3⤵
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-FMS/Analytic
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-FMS/Analytic
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-FMS/Debug
  2⤵
  PID:572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-FMS/Debug
    3⤵
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-FMS/Operational
  2⤵
  PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-FMS/Operational
    3⤵
    PID:3024
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
    3⤵
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
  2⤵
  PID:3032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
    3⤵
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Feedback-Service-TriggerProvider
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Feedback-Service-TriggerProvider
    3⤵
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-FileInfoMinifilter/Operational
  2⤵
  PID:752
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-FileInfoMinifilter/Operational
    3⤵
    PID:2516
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Firewall-CPL/Diagnostic
  2⤵
  PID:408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Firewall-CPL/Diagnostic
    3⤵
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Folder Redirection/Operational
  2⤵
  PID:1344
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Folder Redirection/Operational
    3⤵
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Forwarding/Debug
  2⤵
  PID:652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Forwarding/Debug
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Forwarding/Operational
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Forwarding/Operational
    3⤵
    - Clears Windows event logs
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-GettingStarted/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-GettingStarted/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-GroupPolicy/Operational
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-GroupPolicy/Operational
    3⤵
    PID:1304
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HAL/Debug
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HAL/Debug
    3⤵
    PID:904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HealthCenter/Debug
  2⤵
  PID:1552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HealthCenter/Debug
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HealthCenter/Performance
  2⤵
  PID:608
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HealthCenter/Performance
    3⤵
    - Clears Windows event logs
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HealthCenterCPL/Performance
  2⤵
  PID:2308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HealthCenterCPL/Performance
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Help/Operational
  2⤵
  PID:1724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Help/Operational
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic
  2⤵
  PID:2424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic
    3⤵
    PID:3064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HomeGroup Control Panel/Operational
  2⤵
  PID:1796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HomeGroup Control Panel/Operational
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HomeGroup Listener Service/Operational
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HomeGroup Listener Service/Operational
    3⤵
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic
  2⤵
  PID:1596
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic
    3⤵
    PID:108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HomeGroup Provider Service/Operational
  2⤵
  PID:380
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HomeGroup Provider Service/Operational
    3⤵
    - Clears Windows event logs
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HomeGroup-ListenerService
  2⤵
  PID:1528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HomeGroup-ListenerService
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HotStart/Diagnostic
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HotStart/Diagnostic
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-HttpService/Trace
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-HttpService/Trace
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-IKE/Operational
  2⤵
  PID:316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-IKE/Operational
    3⤵
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-IKEDBG/Debug
  2⤵
  PID:156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-IKEDBG/Debug
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-IPBusEnum/Tracing
  2⤵
  PID:1540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-IPBusEnum/Tracing
    3⤵
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-IPSEC-SRV/Diagnostic
  2⤵
  PID:2636
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-IPSEC-SRV/Diagnostic
    3⤵
    PID:2568
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
  2⤵
  PID:2648
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-International/Operational
  2⤵
  PID:2288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-International/Operational
    3⤵
    PID:2548
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Iphlpsvc/Debug
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Iphlpsvc/Debug
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Iphlpsvc/Operational
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Iphlpsvc/Operational
    3⤵
    PID:2828
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Iphlpsvc/Trace
  2⤵
  PID:2832
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Iphlpsvc/Trace
    3⤵
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Acpi/Diagnostic
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Acpi/Diagnostic
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Boot/Analytic
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Boot/Analytic
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Disk/Analytic
  2⤵
  PID:2352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Disk/Analytic
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-EventTracing/Admin
  2⤵
  PID:2672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-EventTracing/Admin
    3⤵
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-EventTracing/Analytic
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-EventTracing/Analytic
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-File/Analytic
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-File/Analytic
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Memory/Analytic
  2⤵
  PID:1504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Memory/Analytic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Network/Analytic
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Network/Analytic
    3⤵
    PID:1712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-PnP/Diagnostic
  2⤵
  PID:2184
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-PnP/Diagnostic
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Power/Diagnostic
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Power/Diagnostic
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Power/Thermal-Diagnostic
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Power/Thermal-Diagnostic
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Power/Thermal-Operational
  2⤵
  PID:1612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Power/Thermal-Operational
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Prefetch/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Prefetch/Diagnostic
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Process/Analytic
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Process/Analytic
    3⤵
    - Clears Windows event logs
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Processor-Power/Diagnostic
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Processor-Power/Diagnostic
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-Registry/Analytic
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-Registry/Analytic
    3⤵
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-StoreMgr/Analytic
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-StoreMgr/Analytic
    3⤵
    PID:752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-StoreMgr/Operational
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-StoreMgr/Operational
    3⤵
    PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-WDI/Analytic
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-WDI/Analytic
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-WDI/Debug
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-WDI/Debug
    3⤵
    PID:788
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-WDI/Operational
  2⤵
  PID:1588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-WDI/Operational
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-WHEA/Errors
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-WHEA/Errors
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Kernel-WHEA/Operational
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Kernel-WHEA/Operational
    3⤵
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Known Folders API Service
  2⤵
  PID:904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Known Folders API Service
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-L2NA/Diagnostic
  2⤵
  PID:2484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-L2NA/Diagnostic
    3⤵
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-LDAP-Client/Debug
  2⤵
  PID:2320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-LDAP-Client/Debug
    3⤵
    PID:1040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-LUA-ConsentUI/Diagnostic
  2⤵
  PID:2976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-LUA-ConsentUI/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-LanguagePackSetup/Analytic
  2⤵
  PID:2412
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-LanguagePackSetup/Analytic
    3⤵
    - Clears Windows event logs
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-LanguagePackSetup/Debug
  2⤵
  PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-LanguagePackSetup/Debug
    3⤵
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-LanguagePackSetup/Operational
  2⤵
  PID:1956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-LanguagePackSetup/Operational
    3⤵
    - Clears Windows event logs
    PID:1440
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MCT/Operational
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MCT/Operational
    3⤵
    PID:880
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MPS-CLNT/Diagnostic
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MPS-CLNT/Diagnostic
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MPS-DRV/Diagnostic
  2⤵
  PID:1792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MPS-DRV/Diagnostic
    3⤵
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MPS-SRV/Diagnostic
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MPS-SRV/Diagnostic
    3⤵
    PID:3004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MSPaint/Admin
  2⤵
  PID:2684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MSPaint/Admin
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MSPaint/Debug
  2⤵
  PID:2860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MSPaint/Debug
    3⤵
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MSPaint/Diagnostic
  2⤵
  PID:1812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MSPaint/Diagnostic
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MUI/Admin
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1968
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MUI/Admin
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MUI/Analytic
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MUI/Analytic
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MUI/Debug
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MUI/Debug
    3⤵
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MUI/Operational
  2⤵
  PID:2528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MUI/Operational
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter
    3⤵
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader
    3⤵
    PID:2744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MediaFoundation-MFReadWrite/Transform
  2⤵
  PID:2328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MediaFoundation-MFReadWrite/Transform
    3⤵
    PID:2948
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MediaFoundation-PlayAPI/Analytic
  2⤵
  PID:1064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MediaFoundation-PlayAPI/Analytic
    3⤵
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
    3⤵
    PID:1640
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-MobilityCenter/Performance
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-MobilityCenter/Performance
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NCSI/Analytic
  2⤵
  PID:1976
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NCSI/Analytic
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NCSI/Operational
  2⤵
  PID:2984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NCSI/Operational
    3⤵
    PID:636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NDF-HelperClassDiscovery/Debug
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NDF-HelperClassDiscovery/Debug
    3⤵
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NDIS-PacketCapture/Diagnostic
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NDIS-PacketCapture/Diagnostic
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NDIS/Diagnostic
  2⤵
  PID:348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NDIS/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NDIS/Operational
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NDIS/Operational
    3⤵
    PID:2100
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NTLM/Operational
  2⤵
  PID:2264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NTLM/Operational
    3⤵
    PID:2792
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NWiFi/Diagnostic
  2⤵
  PID:2036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NWiFi/Diagnostic
    3⤵
    PID:2020
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Narrator/Diagnostic
  2⤵
  PID:1716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Narrator/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2428
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NetShell/Performance
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NetShell/Performance
    3⤵
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Network-and-Sharing-Center/Diagnostic
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Network-and-Sharing-Center/Diagnostic
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NetworkAccessProtection/Operational
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NetworkAccessProtection/Operational
    3⤵
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NetworkAccessProtection/WHC
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NetworkAccessProtection/WHC
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NetworkLocationWizard/Operational
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NetworkLocationWizard/Operational
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NetworkProfile/Diagnostic
  2⤵
  PID:812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NetworkProfile/Diagnostic
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NetworkProfile/Operational
  2⤵
  PID:444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NetworkProfile/Operational
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Networking-Correlation/Diagnostic
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Networking-Correlation/Diagnostic
    3⤵
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NlaSvc/Diagnostic
  2⤵
  PID:992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NlaSvc/Diagnostic
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-NlaSvc/Operational
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-NlaSvc/Operational
    3⤵
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OLEACC/Debug
  2⤵
  PID:3052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OLEACC/Debug
    3⤵
    PID:868
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OLEACC/Diagnostic
  2⤵
  PID:956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OLEACC/Diagnostic
    3⤵
    PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OOBE-Machine/Diagnostic
  2⤵
  PID:768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OOBE-Machine/Diagnostic
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OfflineFiles/Analytic
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OfflineFiles/Analytic
    3⤵
    PID:2188
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OfflineFiles/Debug
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OfflineFiles/Debug
    3⤵
    PID:2084
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OfflineFiles/Operational
  2⤵
  PID:1040
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OfflineFiles/Operational
    3⤵
    - Clears Windows event logs
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OfflineFiles/SyncLog
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OfflineFiles/SyncLog
    3⤵
    PID:1724
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OneX/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1264
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OneX/Diagnostic
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-OobeLdr/Analytic
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-OobeLdr/Analytic
    3⤵
    PID:1768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PCI/Diagnostic
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PCI/Diagnostic
    3⤵
    PID:1752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ParentalControls/Operational
  2⤵
  PID:880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ParentalControls/Operational
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic
    3⤵
    PID:1596
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PeopleNearMe/Operational
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PeopleNearMe/Operational
    3⤵
    PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PortableDeviceStatusProvider/Analytic
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PortableDeviceStatusProvider/Analytic
    3⤵
    PID:2768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PortableDeviceSyncProvider/Analytic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PortableDeviceSyncProvider/Analytic
    3⤵
    PID:352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PowerCfg/Diagnostic
  2⤵
  - Power Settings
  PID:316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PowerCfg/Diagnostic
    3⤵
    - Power Settings
    PID:2108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PowerCpl/Diagnostic
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PowerCpl/Diagnostic
    3⤵
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic
    3⤵
    PID:156
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PowerShell/Analytic
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PowerShell/Analytic
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PowerShell/Operational
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PowerShell/Operational
    3⤵
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PrimaryNetworkIcon/Performance
  2⤵
  PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PrimaryNetworkIcon/Performance
    3⤵
    PID:2648
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PrintService/Admin
  2⤵
  PID:2928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PrintService/Admin
    3⤵
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PrintService/Debug
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PrintService/Debug
    3⤵
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-PrintService/Operational
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-PrintService/Operational
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Program-Compatibility-Assistant/Debug
  2⤵
  PID:1048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Program-Compatibility-Assistant/Debug
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-QoS-Pacer/Diagnostic
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-QoS-Pacer/Diagnostic
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-QoS-qWAVE/Debug
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-QoS-qWAVE/Debug
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RPC-Proxy/Debug
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RPC-Proxy/Debug
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RPC/Debug
  2⤵
  PID:1964
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RPC/Debug
    3⤵
    - Clears Windows event logs
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RPC/EEInfo
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RPC/EEInfo
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ReadyBoost/Analytic
  2⤵
  PID:2572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ReadyBoost/Analytic
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ReadyBoost/Operational
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ReadyBoost/Operational
    3⤵
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ReadyBoostDriver/Analytic
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ReadyBoostDriver/Analytic
    3⤵
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ReadyBoostDriver/Operational
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ReadyBoostDriver/Operational
    3⤵
    - Clears Windows event logs
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Recovery/Operational
  2⤵
  PID:616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Recovery/Operational
    3⤵
    PID:1632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ReliabilityAnalysisComponent/Operational
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ReliabilityAnalysisComponent/Operational
    3⤵
    - Clears Windows event logs
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RemoteApp and Desktop Connections/Admin
  2⤵
  PID:1728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RemoteApp and Desktop Connections/Admin
    3⤵
    PID:2312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RemoteAssistance/Admin
  2⤵
  PID:2552
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RemoteAssistance/Admin
    3⤵
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RemoteAssistance/Operational
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RemoteAssistance/Operational
    3⤵
    PID:2620
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RemoteAssistance/Tracing
  2⤵
  PID:1116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RemoteAssistance/Tracing
    3⤵
    PID:2460
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
  2⤵
  PID:916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
    3⤵
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  2⤵
  PID:1656
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
    3⤵
    - Clears Windows event logs
    PID:2400
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Remotefs-UTProvider/Diagnostic
  2⤵
  PID:408
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Remotefs-UTProvider/Diagnostic
    3⤵
    PID:2988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational
    3⤵
    PID:2044
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Resource-Leak-Diagnostic/Operational
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2300
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Resource-Leak-Diagnostic/Operational
    3⤵
    PID:2496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ResourcePublication/Tracing
  2⤵
  PID:2452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ResourcePublication/Tracing
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-RestartManager/Operational
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-RestartManager/Operational
    3⤵
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Search-Core/Diagnostic
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Search-Core/Diagnostic
    3⤵
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Search-ProtocolHandlers/Diagnostic
  2⤵
  PID:2276
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Search-ProtocolHandlers/Diagnostic
    3⤵
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Security-Audit-Configuration-Client/Operational
  2⤵
  PID:1028
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Security-Audit-Configuration-Client/Operational
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Security-IdentityListener/Operational
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Security-IdentityListener/Operational
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Security-SPP/Perf
  2⤵
  PID:1736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Security-SPP/Perf
    3⤵
    - Clears Windows event logs
    PID:2412
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Sens/Debug
  2⤵
  PID:1864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Sens/Debug
    3⤵
    - Clears Windows event logs
    PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ServiceReportingApi/Debug
  2⤵
  PID:900
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ServiceReportingApi/Debug
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Services-Svchost/Diagnostic
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Services-Svchost/Diagnostic
    3⤵
    PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Services/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Services/Diagnostic
    3⤵
    PID:1592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Setup/Analytic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Setup/Analytic
    3⤵
    PID:584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-SetupCl/Analytic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-SetupCl/Analytic
    3⤵
    PID:2780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-SetupQueue/Analytic
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-SetupQueue/Analytic
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-SetupUGC/Analytic
  2⤵
  PID:3064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-SetupUGC/Analytic
    3⤵
    - Clears Windows event logs
    PID:1168
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic
  2⤵
  PID:2944
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-Common/Diagnostic
  2⤵
  PID:3008
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-Common/Diagnostic
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic
  2⤵
  PID:2568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic
    3⤵
    - Clears Windows event logs
    - System Location Discovery: System Language Discovery
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic
  2⤵
  PID:2600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic
    3⤵
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic
  2⤵
  PID:2704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic
    3⤵
    PID:2584
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic
  2⤵
  PID:2932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic
    3⤵
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-Core/Diagnostic
  2⤵
  PID:2724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-Core/Diagnostic
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-DefaultPrograms/Diagnostic
  2⤵
  PID:2544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-DefaultPrograms/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:1064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-Shwebsvc
  2⤵
  PID:1068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-Shwebsvc
    3⤵
    PID:1244
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shell-ZipFolder/Diagnostic
  2⤵
  PID:2152
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shell-ZipFolder/Diagnostic
    3⤵
    PID:2656
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Shsvcs/Diagnostic
  2⤵
  PID:1960
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Shsvcs/Diagnostic
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Sidebar/Diagnostic
  2⤵
  PID:2332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Sidebar/Diagnostic
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Speech-UserExperience/Diagnostic
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Speech-UserExperience/Diagnostic
    3⤵
    PID:484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Spell-Checking/Analytic
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Spell-Checking/Analytic
    3⤵
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-SpellChecker/Analytic
  2⤵
  PID:1432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-SpellChecker/Analytic
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-StickyNotes/Admin
  2⤵
  PID:2520
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-StickyNotes/Admin
    3⤵
    PID:2256
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-StickyNotes/Debug
  2⤵
  PID:1220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-StickyNotes/Debug
    3⤵
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-StickyNotes/Diagnostic
  2⤵
  PID:2032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-StickyNotes/Diagnostic
    3⤵
    PID:1940
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-StorDiag/Operational
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-StorDiag/Operational
    3⤵
    PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-StorPort/Operational
  2⤵
  PID:536
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-StorPort/Operational
    3⤵
    PID:2164
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Subsys-Csr/Operational
  2⤵
  PID:836
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Subsys-Csr/Operational
    3⤵
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Subsys-SMSS/Operational
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Subsys-SMSS/Operational
    3⤵
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Superfetch/Main
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Superfetch/Main
    3⤵
    PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Superfetch/StoreLog
  2⤵
  PID:816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Superfetch/StoreLog
    3⤵
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Sysprep/Analytic
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Sysprep/Analytic
    3⤵
    PID:1660
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-SystemHealthAgent/Diagnostic
  2⤵
  PID:2988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-SystemHealthAgent/Diagnostic
    3⤵
    PID:1664
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TCPIP/Diagnostic
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TCPIP/Diagnostic
    3⤵
    PID:1860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TSF-msctf/Debug
  2⤵
  PID:992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TSF-msctf/Debug
    3⤵
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TSF-msctf/Diagnostic
  2⤵
  PID:2176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TSF-msctf/Diagnostic
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TSF-msutb/Debug
  2⤵
  PID:1332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TSF-msutb/Debug
    3⤵
    - Clears Windows event logs
    PID:3052
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TSF-msutb/Diagnostic
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TSF-msutb/Diagnostic
    3⤵
    PID:956
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TZUtil/Operational
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TZUtil/Operational
    3⤵
    - Clears Windows event logs
    PID:768
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TaskScheduler/Debug
  2⤵
  PID:692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TaskScheduler/Debug
    3⤵
    PID:2508
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TaskScheduler/Diagnostic
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TaskScheduler/Diagnostic
    3⤵
    PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TaskScheduler/Operational
  2⤵
  PID:2956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TaskScheduler/Operational
    3⤵
    PID:608
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TaskbarCPL/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TaskbarCPL/Diagnostic
    3⤵
    PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
  2⤵
  PID:1036
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic
  2⤵
  PID:1560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic
    3⤵
    PID:1864
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug
  2⤵
  PID:1568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
    3⤵
    PID:1548
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
  2⤵
  PID:1592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
    3⤵
    - Clears Windows event logs
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic
  2⤵
  PID:584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic
    3⤵
    PID:2740
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Debug
  2⤵
  PID:2780
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Debug
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  2⤵
  PID:2660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
    3⤵
    PID:316
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-MediaRedirection/Analytic
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-MediaRedirection/Analytic
    3⤵
    PID:1692
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Admin
  2⤵
  PID:3060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Admin
    3⤵
    PID:2756
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Analytic
  2⤵
  PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Analytic
    3⤵
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Debug
  2⤵
  PID:2560
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Debug
    3⤵
    PID:1580
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Operational
  2⤵
  PID:2588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-PnPDevices/Operational
    3⤵
    PID:2532
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RDPClient/Analytic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2528
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RDPClient/Analytic
    3⤵
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RDPClient/Debug
  2⤵
  PID:2584
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RDPClient/Debug
    3⤵
    PID:2920
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RDPClient/Operational
  2⤵
  PID:2096
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RDPClient/Operational
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture
  2⤵
  PID:2948
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture
    3⤵
    PID:2908
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback
  2⤵
  PID:576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback
    3⤵
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  2⤵
  PID:1640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
    3⤵
    PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic
  2⤵
  PID:2220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug
  2⤵
  PID:2356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug
    3⤵
    PID:1704
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  2⤵
  PID:1484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
    3⤵
    PID:2936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
    3⤵
    - Clears Windows event logs
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic
    3⤵
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug
    3⤵
    PID:1148
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
  2⤵
  PID:2256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
    3⤵
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ThemeCPL/Diagnostic
  2⤵
  PID:1720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ThemeCPL/Diagnostic
    3⤵
    PID:616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-ThemeUI/Diagnostic
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-ThemeUI/Diagnostic
    3⤵
    PID:1936
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-TunnelDriver
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-TunnelDriver
    3⤵
    PID:1732
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UAC-FileVirtualization/Operational
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UAC-FileVirtualization/Operational
    3⤵
    PID:572
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UAC/Operational
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UAC/Operational
    3⤵
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UIAnimation/Diagnostic
  2⤵
  PID:1988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UIAnimation/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UIAutomationCore/Debug
  2⤵
  PID:2716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UIAutomationCore/Debug
    3⤵
    - Clears Windows event logs
    PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UIAutomationCore/Diagnostic
  2⤵
  PID:3016
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UIAutomationCore/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UIAutomationCore/Perf
  2⤵
  PID:1660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UIAutomationCore/Perf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UIRibbon/Diagnostic
  2⤵
  PID:1664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UIRibbon/Diagnostic
    3⤵
    PID:1256
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-USB-USBHUB/Diagnostic
  2⤵
  PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-USB-USBHUB/Diagnostic
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-USB-USBPORT/Diagnostic
  2⤵
  PID:1320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-USB-USBPORT/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:652
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-User Control Panel Performance/Diagnostic
  2⤵
  PID:2616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-User Control Panel Performance/Diagnostic
    3⤵
    PID:2268
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-User Profile Service/Diagnostic
  2⤵
  PID:868
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-User Profile Service/Diagnostic
    3⤵
    PID:1588
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-User Profile Service/Operational
  2⤵
  PID:3048
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-User Profile Service/Operational
    3⤵
    PID:2336
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-User-Loader/Analytic
  2⤵
  PID:2124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-User-Loader/Analytic
    3⤵
    - Clears Windows event logs
    PID:3040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UserModePowerService/Diagnostic
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UserModePowerService/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:2028
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UserPnp/DeviceMetadata/Debug
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UserPnp/DeviceMetadata/Debug
    3⤵
    PID:2484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UserPnp/DeviceNotifications
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UserPnp/DeviceNotifications
    3⤵
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UserPnp/Performance
  2⤵
  PID:2444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UserPnp/Performance
    3⤵
    PID:2976
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UserPnp/SchedulerOperations
  2⤵
  PID:1524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UserPnp/SchedulerOperations
    3⤵
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-UxTheme/Diagnostic
  2⤵
  PID:1440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-UxTheme/Diagnostic
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-VAN/Diagnostic
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-VAN/Diagnostic
    3⤵
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-VDRVROOT/Operational
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-VDRVROOT/Operational
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-VHDMP/Operational
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-VHDMP/Operational
    3⤵
    PID:2228
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-VWiFi/Diagnostic
  2⤵
  PID:2740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-VWiFi/Diagnostic
    3⤵
    PID:2132
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-VolumeControl/Performance
  2⤵
  PID:2540
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-VolumeControl/Performance
    3⤵
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-VolumeSnapshot-Driver/Operational
  2⤵
  PID:316
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-VolumeSnapshot-Driver/Operational
    3⤵
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WABSyncProvider/Analytic
  2⤵
  PID:1692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WABSyncProvider/Analytic
    3⤵
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WCN-Config-Registrar/Diagnostic
  2⤵
  PID:2756
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WCN-Config-Registrar/Diagnostic
    3⤵
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WER-Diag/Operational
  2⤵
  PID:2772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WER-Diag/Operational
    3⤵
    PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WFP/Analytic
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WFP/Analytic
    3⤵
    - Clears Windows event logs
    PID:2464
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WFP/Operational
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WFP/Operational
    3⤵
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WLAN-AutoConfig/Operational
  2⤵
  PID:2612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WLAN-AutoConfig/Operational
    3⤵
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WLAN-Autoconfig/Diagnostic
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WLAN-Autoconfig/Diagnostic
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WLANConnectionFlow/Diagnostic
  2⤵
  PID:1280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WLANConnectionFlow/Diagnostic
    3⤵
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WMI-Activity/Trace
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WMI-Activity/Trace
    3⤵
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WMPDMCCore/Diagnostic
  2⤵
  PID:328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WMPDMCCore/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:576
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WMPDMCUI/Diagnostic
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WMPDMCUI/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic
    3⤵
    PID:2220
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WMPNSS-Service/Diagnostic
  2⤵
  PID:356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WMPNSS-Service/Diagnostic
    3⤵
    - Clears Windows event logs
    PID:2352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WMPNSSUI/Diagnostic
  2⤵
  PID:2000
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WMPNSSUI/Diagnostic
    3⤵
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WPD-ClassInstaller/Analytic
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WPD-ClassInstaller/Analytic
    3⤵
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WPD-ClassInstaller/Operational
  2⤵
  PID:2668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WPD-ClassInstaller/Operational
    3⤵
    PID:2476
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WPD-CompositeClassDriver/Analytic
  2⤵
  PID:1204
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WPD-CompositeClassDriver/Analytic
    3⤵
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WPD-CompositeClassDriver/Operational
  2⤵
  PID:320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WPD-CompositeClassDriver/Operational
    3⤵
    PID:2520
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WPD-MTPClassDriver/Operational
  2⤵
  PID:1760
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WPD-MTPClassDriver/Operational
    3⤵
    - Clears Windows event logs
    PID:2184
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WSC-SRV/Diagnostic
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WSC-SRV/Diagnostic
    3⤵
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WUSA/Debug
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WUSA/Debug
    3⤵
    - Clears Windows event logs
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WWAN-MM-Events/Diagnostic
  2⤵
  PID:572
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WWAN-MM-Events/Diagnostic
    3⤵
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WWAN-SVC-Events/Diagnostic
  2⤵
  PID:2992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WWAN-SVC-Events/Diagnostic
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WWAN-UI-Events/Diagnostic
  2⤵
  PID:2064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WWAN-UI-Events/Diagnostic
    3⤵
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WebIO-NDF/Diagnostic
  2⤵
  PID:812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WebIO-NDF/Diagnostic
    3⤵
    PID:1108
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WebIO/Diagnostic
  2⤵
  PID:444
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WebIO/Diagnostic
    3⤵
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WebServices/Tracing
  2⤵
  PID:1256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WebServices/Tracing
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Win32k/Concurrency
  2⤵
  PID:1156
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Win32k/Concurrency
    3⤵
    PID:1344
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Win32k/Power
  2⤵
  PID:652
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Win32k/Power
    3⤵
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Win32k/Render
  2⤵
  PID:2496
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Win32k/Render
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1772
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Win32k/Tracing
  2⤵
  PID:1740
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Win32k/Tracing
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-Win32k/UIPI
  2⤵
  PID:956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-Win32k/UIPI
    3⤵
    PID:2128
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WinHTTP-NDF/Diagnostic
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2124
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WinHTTP-NDF/Diagnostic
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WinHttp/Diagnostic
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WinHttp/Diagnostic
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c wevtutil.exe cl Microsoft-Windows-WinINet/Analytic
  2⤵
  PID:1992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl Microsoft-Windows-WinINet/Analytic
    3⤵
    - Clears Windows event logs
    PID:276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Agilis\ImageCleanupTool.log

Filesize
1KB

MD5
89872597e2f077c65123269e427e41cd

SHA1
f65e45fefca44a271a94195cba0f88b1fb3d5bb7

SHA256
3671d8c56c4b14d320b190d5cd3005b8a1ad2acfe359d8ec62932ebdeb5cb011

SHA512
0a3fc0c2b5ff95491f9a3b28f1a419d0bf5962dcff913b237720527a63463ee5cc8ba6694483766e219cb288586fd42b423d3b4952738bd31a1948fb8df7c407

Download Submit
C:\Agilis\ImageCleanupTool.log

Filesize
1KB

MD5
7d7b36725e7fd726a5adcf6bf839e7a3

SHA1
d5b6380888c3515dd2965d38d18456c62e9b05ab

SHA256
07c25d87b1556094f2748b18dc440a2e88faf524d74050e7c3b347b02685bac9

SHA512
dd230e84e62427e4e12becc2232bbf3ce02222b3f2662531c90bffac291729884daaee2c3f1eb1fb3fc5642ce776039ae3f16938eacb2b8e773633ab8fdfc010

Download Submit
C:\Agilis\ImageCleanupTool.log

Filesize
4KB

MD5
6aa8ba8c017d7849a3c0632a126f71f5

SHA1
4a4873506790e45d385fb26269cb5e1ea929c2df

SHA256
7d077091334c0e06a41c4de6c36a80b59c3b7b456e36db6c465c6869fcdcc692

SHA512
9de287f3dbb1583633785bcb506e6ab660d31503569128d8a6018f5c83229f9ec2dd73b733c6f29eb42455c1e3e3a26ae5a66ad40d76f8a5b658349f6819f37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9AE1D0DF-DCC9-441C-BC49-1CCAE093B19A}.FSD

Filesize
128KB

MD5
6b5d2dd4b4f235853cabda4e64a72a93

SHA1
b49045b180477bbe7db745909c4acbfb755e518b

SHA256
05544324ba875c3c4df7642a74c15ad65dc6f0f37da4409894ae17f4deebe063

SHA512
fb1afec451f3682c9232d639597e895055d17cd334e3a79f261d7ccc6a097520da630481cd662b5e8905c6bc855656d6fb84c8bf004d455e9ed654a7d85ffff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{786C9760-FE98-46FB-93AF-674F64A077CE}

Filesize
128KB

MD5
c77ecb6075a4fe1ae1f56154280b0e14

SHA1
35615273093659493efc3ea30c67d4d51664e20c

SHA256
854817f775d4476a382493c96781a054a0d9fbabcfee53c1cd8ac73a5f5bb855

SHA512
621975058cdc21fdb197afd1bf75ead4bc7eb918564ec6f519317da5d8e491a2dea9402156798929af306030232d2305bae2e6bbff30cd2f857595d24a991202

Download Submit
memory/2068-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download
memory/2068-1-0x00000000008F0000-0x0000000000904000-memory.dmp

Filesize
80KB

Download
memory/2068-119-0x0000000073EFE000-0x0000000073EFF000-memory.dmp

Filesize
4KB

Download