e04ca52275d940234c4cf1744c64712513319668dbf7a0d77111a03cf9fdba40

Analysis

max time kernel
104s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arata_Verdacrypt.ps1
Size

34KB
MD5

470f24b0d1fcbfaae2ba8286ab64f0f2
SHA1

cefe5f8886ed2468f7834c5ed0abafbee7083245
SHA256

e04ca52275d940234c4cf1744c64712513319668dbf7a0d77111a03cf9fdba40
SHA512

e108433b636de0454ff3cdb4822be12b84950e5cf32f63ded0b2d2d532f570357156e15aacd7a8b95aabcd7f4280609e1fcde32146883ab866e1d65600768715
SSDEEP

384:thz/snUBSzj5mMEEpi0D04eEMls/11AUfoUHaWPw3+4CFYV5jIyJu7Y:NM5mME00xEbrl6Yq+40+IF7Y

Score

9^/10

defense_evasion discovery execution persistence privilege_escalation ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
436	Process not Found
4268	Process not Found
3876	wevtutil.exe
1988	wevtutil.exe
940	wevtutil.exe
2224	wevtutil.exe
4232	wevtutil.exe
2132	wevtutil.exe
4732	wevtutil.exe
2036	wevtutil.exe
1384	wevtutil.exe
3976	wevtutil.exe
4848	wevtutil.exe
4040	wevtutil.exe
1788	wevtutil.exe
2428	wevtutil.exe
3140	wevtutil.exe
3860	wevtutil.exe
4800	wevtutil.exe
2876	wevtutil.exe
376	wevtutil.exe
4064	wevtutil.exe
1788	wevtutil.exe
4912	wevtutil.exe
3636	wevtutil.exe
3432	wevtutil.exe
5080	wevtutil.exe
1684	wevtutil.exe
4728	wevtutil.exe
2212	wevtutil.exe
1684	wevtutil.exe
940	wevtutil.exe
4572	wevtutil.exe
1532	wevtutil.exe
2160	wevtutil.exe
1328	Process not Found
5088	Process not Found
4356	wevtutil.exe
724	wevtutil.exe
3376	wevtutil.exe
4836	wevtutil.exe
2428	wevtutil.exe
1532	wevtutil.exe
4636	wevtutil.exe
4320	wevtutil.exe
792	wevtutil.exe
2544	wevtutil.exe
1876	wevtutil.exe
3564	wevtutil.exe
4016	wevtutil.exe
1060	wevtutil.exe
776	wevtutil.exe
2628	wevtutil.exe
324	wevtutil.exe
372	wevtutil.exe
4532	wevtutil.exe
3020	wevtutil.exe
2036	wevtutil.exe
1368	Process not Found
4268	wevtutil.exe
1888	wevtutil.exe
4452	wevtutil.exe
1788	wevtutil.exe
1316	wevtutil.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2392	wevtutil.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4628	powershell.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4736	wevtutil.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\CLSID	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32\	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	powershell.exe
4628	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeSecurityPrivilege	3068	wevtutil.exe
Token: SeBackupPrivilege	3068	wevtutil.exe
Token: SeSecurityPrivilege	1176	wevtutil.exe
Token: SeBackupPrivilege	1176	wevtutil.exe
Token: SeSecurityPrivilege	2212	wevtutil.exe
Token: SeBackupPrivilege	2212	wevtutil.exe
Token: SeSecurityPrivilege	1672	wevtutil.exe
Token: SeBackupPrivilege	1672	wevtutil.exe
Token: SeSecurityPrivilege	540	wevtutil.exe
Token: SeBackupPrivilege	540	wevtutil.exe
Token: SeSecurityPrivilege	3532	wevtutil.exe
Token: SeBackupPrivilege	3532	wevtutil.exe
Token: SeSecurityPrivilege	4392	wevtutil.exe
Token: SeBackupPrivilege	4392	wevtutil.exe
Token: SeSecurityPrivilege	2228	wevtutil.exe
Token: SeBackupPrivilege	2228	wevtutil.exe
Token: SeSecurityPrivilege	764	wevtutil.exe
Token: SeBackupPrivilege	764	wevtutil.exe
Token: SeSecurityPrivilege	3236	wevtutil.exe
Token: SeBackupPrivilege	3236	wevtutil.exe
Token: SeSecurityPrivilege	1800	wevtutil.exe
Token: SeBackupPrivilege	1800	wevtutil.exe
Token: SeSecurityPrivilege	4980	wevtutil.exe
Token: SeBackupPrivilege	4980	wevtutil.exe
Token: SeSecurityPrivilege	1600	wevtutil.exe
Token: SeBackupPrivilege	1600	wevtutil.exe
Token: SeSecurityPrivilege	1528	wevtutil.exe
Token: SeBackupPrivilege	1528	wevtutil.exe
Token: SeSecurityPrivilege	1976	wevtutil.exe
Token: SeBackupPrivilege	1976	wevtutil.exe
Token: SeSecurityPrivilege	404	wevtutil.exe
Token: SeBackupPrivilege	404	wevtutil.exe
Token: SeSecurityPrivilege	1164	wevtutil.exe
Token: SeBackupPrivilege	1164	wevtutil.exe
Token: SeSecurityPrivilege	4304	wevtutil.exe
Token: SeBackupPrivilege	4304	wevtutil.exe
Token: SeSecurityPrivilege	3416	wevtutil.exe
Token: SeBackupPrivilege	3416	wevtutil.exe
Token: SeSecurityPrivilege	208	wevtutil.exe
Token: SeBackupPrivilege	208	wevtutil.exe
Token: SeSecurityPrivilege	3360	wevtutil.exe
Token: SeBackupPrivilege	3360	wevtutil.exe
Token: SeSecurityPrivilege	952	wevtutil.exe
Token: SeBackupPrivilege	952	wevtutil.exe
Token: SeSecurityPrivilege	2748	wevtutil.exe
Token: SeBackupPrivilege	2748	wevtutil.exe
Token: SeSecurityPrivilege	2204	wevtutil.exe
Token: SeBackupPrivilege	2204	wevtutil.exe
Token: SeSecurityPrivilege	1416	wevtutil.exe
Token: SeBackupPrivilege	1416	wevtutil.exe
Token: SeSecurityPrivilege	1532	wevtutil.exe
Token: SeBackupPrivilege	1532	wevtutil.exe
Token: SeSecurityPrivilege	3616	wevtutil.exe
Token: SeBackupPrivilege	3616	wevtutil.exe
Token: SeSecurityPrivilege	1988	wevtutil.exe
Token: SeBackupPrivilege	1988	wevtutil.exe
Token: SeSecurityPrivilege	4356	wevtutil.exe
Token: SeBackupPrivilege	4356	wevtutil.exe
Token: SeSecurityPrivilege	1812	wevtutil.exe
Token: SeBackupPrivilege	1812	wevtutil.exe
Token: SeSecurityPrivilege	3852	wevtutil.exe
Token: SeBackupPrivilege	3852	wevtutil.exe
Token: SeSecurityPrivilege	2448	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 2972	4628	powershell.exe	89
PID 4628 wrote to memory of 2972	4628	powershell.exe	89
PID 2972 wrote to memory of 4232	2972	csc.exe	90
PID 2972 wrote to memory of 4232	2972	csc.exe	90
PID 4628 wrote to memory of 712	4628	powershell.exe	94
PID 4628 wrote to memory of 712	4628	powershell.exe	94
PID 4628 wrote to memory of 3068	4628	powershell.exe	96
PID 4628 wrote to memory of 3068	4628	powershell.exe	96
PID 4628 wrote to memory of 1176	4628	powershell.exe	97
PID 4628 wrote to memory of 1176	4628	powershell.exe	97
PID 4628 wrote to memory of 2212	4628	powershell.exe	98
PID 4628 wrote to memory of 2212	4628	powershell.exe	98
PID 4628 wrote to memory of 1672	4628	powershell.exe	99
PID 4628 wrote to memory of 1672	4628	powershell.exe	99
PID 4628 wrote to memory of 540	4628	powershell.exe	173
PID 4628 wrote to memory of 540	4628	powershell.exe	173
PID 4628 wrote to memory of 3532	4628	powershell.exe	101
PID 4628 wrote to memory of 3532	4628	powershell.exe	101
PID 4628 wrote to memory of 4392	4628	powershell.exe	102
PID 4628 wrote to memory of 4392	4628	powershell.exe	102
PID 4628 wrote to memory of 2228	4628	powershell.exe	103
PID 4628 wrote to memory of 2228	4628	powershell.exe	103
PID 4628 wrote to memory of 764	4628	powershell.exe	104
PID 4628 wrote to memory of 764	4628	powershell.exe	104
PID 4628 wrote to memory of 3236	4628	powershell.exe	176
PID 4628 wrote to memory of 3236	4628	powershell.exe	176
PID 4628 wrote to memory of 1800	4628	powershell.exe	106
PID 4628 wrote to memory of 1800	4628	powershell.exe	106
PID 4628 wrote to memory of 4980	4628	powershell.exe	107
PID 4628 wrote to memory of 4980	4628	powershell.exe	107
PID 4628 wrote to memory of 1600	4628	powershell.exe	108
PID 4628 wrote to memory of 1600	4628	powershell.exe	108
PID 4628 wrote to memory of 1528	4628	powershell.exe	179
PID 4628 wrote to memory of 1528	4628	powershell.exe	179
PID 4628 wrote to memory of 1976	4628	powershell.exe	110
PID 4628 wrote to memory of 1976	4628	powershell.exe	110
PID 4628 wrote to memory of 404	4628	powershell.exe	111
PID 4628 wrote to memory of 404	4628	powershell.exe	111
PID 4628 wrote to memory of 1164	4628	powershell.exe	112
PID 4628 wrote to memory of 1164	4628	powershell.exe	112
PID 4628 wrote to memory of 4304	4628	powershell.exe	113
PID 4628 wrote to memory of 4304	4628	powershell.exe	113
PID 4628 wrote to memory of 3416	4628	powershell.exe	114
PID 4628 wrote to memory of 3416	4628	powershell.exe	114
PID 4628 wrote to memory of 208	4628	powershell.exe	115
PID 4628 wrote to memory of 208	4628	powershell.exe	115
PID 4628 wrote to memory of 3360	4628	powershell.exe	117
PID 4628 wrote to memory of 3360	4628	powershell.exe	117
PID 4628 wrote to memory of 952	4628	powershell.exe	118
PID 4628 wrote to memory of 952	4628	powershell.exe	118
PID 4628 wrote to memory of 2748	4628	powershell.exe	119
PID 4628 wrote to memory of 2748	4628	powershell.exe	119
PID 4628 wrote to memory of 2204	4628	powershell.exe	120
PID 4628 wrote to memory of 2204	4628	powershell.exe	120
PID 4628 wrote to memory of 1416	4628	powershell.exe	188
PID 4628 wrote to memory of 1416	4628	powershell.exe	188
PID 4628 wrote to memory of 1532	4628	powershell.exe	189
PID 4628 wrote to memory of 1532	4628	powershell.exe	189
PID 4628 wrote to memory of 3616	4628	powershell.exe	190
PID 4628 wrote to memory of 3616	4628	powershell.exe	190
PID 4628 wrote to memory of 1988	4628	powershell.exe	124
PID 4628 wrote to memory of 1988	4628	powershell.exe	124
PID 4628 wrote to memory of 4356	4628	powershell.exe	125
PID 4628 wrote to memory of 4356	4628	powershell.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Arata_Verdacrypt.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kgdknzcw\kgdknzcw.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB611.tmp" "c:\Users\Admin\AppData\Local\Temp\kgdknzcw\CSCF9BFAF3251E2454EB19799E4E67D1C97.TMP"
    3⤵
    PID:4232
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\SomeTask
  2⤵
  PID:712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" el
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:764
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "General Logging"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4304
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3360
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
  2⤵
  - Clears Windows event logs
  PID:2132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
  2⤵
  PID:4736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
  2⤵
  PID:3760
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
  2⤵
  PID:4040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:3436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
  2⤵
  PID:4372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
  2⤵
  PID:2412
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
  2⤵
  PID:2988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
  2⤵
  PID:3920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
  2⤵
  - Clears Windows event logs
  PID:3976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
  2⤵
  PID:3372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
  2⤵
  PID:4216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:3432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  - Clears Windows event logs
  PID:724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:1380
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:4020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  - Clears Windows event logs
  PID:3376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
  2⤵
  PID:4224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
  2⤵
  PID:3624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
  2⤵
  PID:688
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
  2⤵
  PID:3236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:1528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:3160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
  2⤵
  PID:116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
  2⤵
  PID:4132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
  2⤵
  PID:3048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
  2⤵
  PID:1408
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
  2⤵
  PID:644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
  2⤵
  PID:1848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
  2⤵
  PID:3356
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:3876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
  2⤵
  PID:1756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
  2⤵
  PID:2964
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
  2⤵
  PID:872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
  2⤵
  PID:1132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
  2⤵
  PID:5080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
  2⤵
  PID:4956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
  2⤵
  PID:4224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:3856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
  2⤵
  - Clears Windows event logs
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
  2⤵
  PID:2472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
  2⤵
  PID:2876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
  2⤵
  PID:2540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
  2⤵
  PID:4680
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
  2⤵
  PID:3448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  PID:2732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
  2⤵
  PID:1848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
  2⤵
  PID:1396
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
  2⤵
  - Clears Windows event logs
  PID:3876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
  2⤵
  PID:2300
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
  2⤵
  PID:464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
  2⤵
  PID:1544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheMonitoring/Analytic
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
  2⤵
  PID:3456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
  2⤵
  PID:3556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentInitialize
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentUninitialize
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Call
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/CreateInstance
  2⤵
  PID:1132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ExtensionCatalog
  2⤵
  PID:5080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/FreeUnusedLibrary
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/RundownInstrumentation
  2⤵
  - Clears Windows event logs
  PID:4232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Activations
  2⤵
  PID:3040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/MessageProcessing
  2⤵
  PID:4800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Tracing
  2⤵
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
  2⤵
  PID:4224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
  2⤵
  PID:3856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Cleanmgr/Diagnostic
  2⤵
  PID:2064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
  2⤵
  PID:1732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Debug
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Operational
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CmiSetup/Analytic
  2⤵
  - Clears Windows event logs
  PID:376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational
  2⤵
  PID:2472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Verbose
  2⤵
  PID:2540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Analytic
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Debug
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Analytic
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Operational
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Debug
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Operational
  2⤵
  PID:4680
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Debug
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Operational
  2⤵
  - Clears Windows event logs
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Debug
  2⤵
  PID:3448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Operational
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:2628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Operational
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Tracing
  2⤵
  PID:2732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreWindow/Analytic
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreWindow/Debug
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
  2⤵
  PID:2384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
  2⤵
  PID:3760
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crashdump/Operational
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CredUI/Diagnostic
  2⤵
  PID:2348
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-BCRYPT/Analytic
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-CNG/Analytic
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
  2⤵
  PID:2604
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Debug
  2⤵
  PID:3452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Operational
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DSSEnh/Analytic
  2⤵
  PID:1756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-NCrypt/Operational
  2⤵
  PID:2964
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RNG/Analytic
  2⤵
  PID:872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RSAEnh/Analytic
  2⤵
  PID:1316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/Analytic
  2⤵
  PID:2856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/PerfTiming
  2⤵
  PID:3456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Analytic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Operational
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAMM/Diagnostic
  2⤵
  PID:3556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DCLocator/Debug
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DDisplay/Analytic
  2⤵
  PID:4004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DDisplay/Logging
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DLNA-Namespace/Analytic
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DNS-Client/Operational
  2⤵
  PID:1380
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Admin
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Analytic
  2⤵
  PID:3064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Debug
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Operational
  2⤵
  - Clears Windows event logs
  PID:4452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUI/Diagnostic
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUSER/Diagnostic
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Analytic
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Logging
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXP/Analytic
  2⤵
  PID:3624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Data-Pdf/Debug
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/Admin
  2⤵
  PID:3856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/CrashRecovery
  2⤵
  PID:2064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Analytic
  2⤵
  PID:1732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Debug
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Operational
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Diagnostic
  2⤵
  PID:1792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Operational
  2⤵
  PID:2472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Performance
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Scrubbing
  2⤵
  PID:2004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Defrag-Core/Debug
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deplorch/Analytic
  2⤵
  - Clears Windows event logs
  PID:324
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DesktopActivityModerator/Diagnostic
  2⤵
  PID:1060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceAssociationService/Performance
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceConfidence/Analytic
  2⤵
  PID:448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Operational
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Verbose
  2⤵
  PID:1788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
  2⤵
  PID:3852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug
  2⤵
  PID:2448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Admin
  2⤵
  PID:2392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Analytic
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Debug
  2⤵
  PID:3828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Operational
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Analytic
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Operational
  2⤵
  PID:3268
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUpdateAgent/Operational
  2⤵
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Informational
  2⤵
  PID:1176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Performance
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Devices-Background/Operational
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Admin
  2⤵
  PID:1620
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Operational
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Admin
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Operational
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiagCpl/Debug
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Analytic
  2⤵
  PID:2384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Debug
  2⤵
  PID:3436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Operational
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-MSDE/Debug
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Analytic
  2⤵
  PID:1756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Debug
  2⤵
  PID:5084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Operational
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Debug
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Operational
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scheduled/Operational
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Admin
  2⤵
  - Clears Windows event logs
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Analytic
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Debug
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Operational
  2⤵
  PID:4020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
  2⤵
  PID:3376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
  2⤵
  PID:2168
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDI/Debug
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Debug
  2⤵
  - Clears Windows event logs
  PID:372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Operational
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
  2⤵
  PID:940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
  2⤵
  PID:1192
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Operational
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10/Analytic
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10_1/Analytic
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Analytic
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Logging
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/PerfTiming
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/Analytic
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/Logging
  2⤵
  PID:3428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/PerfTiming
  2⤵
  PID:2540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D9/Analytic
  2⤵
  - Clears Windows event logs
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3DShaderCache/Default
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectComposition/Diagnostic
  2⤵
  PID:4636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectManipulation/Diagnostic
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectShow-KernelSupport/Performance
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectSound/Debug
  2⤵
  PID:2372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Disk/Operational
  2⤵
  PID:4032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnostic/Operational
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
  2⤵
  - Clears Windows event logs
  PID:4064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticResolver/Operational
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/Analytic
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/ExternalAnalytic
  2⤵
  PID:2392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/InternalAnalytic
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Cli/Analytic
  2⤵
  PID:3828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Debug
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Operational
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplaySwitch/Diagnostic
  2⤵
  PID:1252
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dot3MM/Diagnostic
  2⤵
  PID:1176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DucUpdateAgent/Operational
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-API/Diagnostic
  2⤵
  PID:1620
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Core/Diagnostic
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Dwm/Diagnostic
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Redir/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Udwm/Diagnostic
  2⤵
  PID:4736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Admin
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Operational
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Contention
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Diagnostic
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Performance
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Power
  2⤵
  PID:1756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
  2⤵
  PID:5084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Application-Learning/Admin
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-Regular/Admin
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-TCB/Admin
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EFS/Debug
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/IODiagnose
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/Operational
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Analytic
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Debug
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Operational
  2⤵
  PID:4020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasChap/Operational
  2⤵
  PID:3376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasTls/Operational
  2⤵
  PID:2168
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Sim/Operational
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Ttls/Operational
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EaseOfAccess/Diagnostic
  2⤵
  PID:372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/EventLog
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/Trace
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic
  2⤵
  PID:940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Debug
  2⤵
  PID:1192
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Operational
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog-WMIProvider/Debug
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Analytic
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Debug
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Analytic
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Debug
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Operational
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
  2⤵
  PID:3428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Analytic
  2⤵
  PID:2540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Operational
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Catalog/Analytic
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Catalog/Debug
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-ConfigManager/Analytic
  2⤵
  PID:448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-ConfigManager/Debug
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/Analytic
  2⤵
  - Clears Windows event logs
  PID:1788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/Debug
  2⤵
  PID:3852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/WHC
  2⤵
  PID:2448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/Analytic
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/BackupLog
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/Debug
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Analytic
  2⤵
  PID:4656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Debug
  2⤵
  PID:2420
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Service/Analytic
  2⤵
  PID:3208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Service/Debug
  2⤵
  PID:2416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-UI-Events/Analytic
  2⤵
  - Clears Windows event logs
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-UI-Events/Debug
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileInfoMinifilter/Operational
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Firewall-CPL/Diagnostic
  2⤵
  PID:644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Folder Redirection/Operational"
  2⤵
  PID:2784
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Debug
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Operational
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GPIO-ClassExtension/Analytic
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GenericRoaming/Admin
  2⤵
  PID:3824
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GroupPolicy/Operational
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HAL/Debug
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Debug
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Performance
  2⤵
  PID:2444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenterCPL/Performance
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HelloForBusiness/Operational
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Help/Operational
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
  2⤵
  PID:1948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HomeGroup-ListenerService
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Analytic
  2⤵
  PID:1464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Operational
  2⤵
  PID:2668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Log
  2⤵
  - Clears Windows event logs
  PID:5080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Trace
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
  2⤵
  PID:3064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
  2⤵
  - Clears Windows event logs
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
  2⤵
  - Clears Windows event logs
  PID:4800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
  2⤵
  PID:4956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
  2⤵
  PID:4116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Admin
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Analytic
  2⤵
  - Clears Windows event logs
  PID:4836
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Operational
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Admin
  2⤵
  PID:3856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Analytic
  2⤵
  PID:2064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IE-SmartScreen
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKE/Operational
  2⤵
  PID:1732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKEDBG/Debug
  2⤵
  - Clears Windows event logs
  PID:2876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-Broker/Analytic
  2⤵
  PID:1792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CandidateUI/Analytic
  2⤵
  PID:2160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CustomerFeedbackManager/Debug
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic
  2⤵
  PID:2004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPAPI/Analytic
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPLMP/Analytic
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPPRED/Analytic
  2⤵
  - Clears Windows event logs
  PID:1060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPSetting/Analytic
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPTIP/Analytic
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-KRAPI/Analytic
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-KRTIP/Analytic
  2⤵
  PID:4680
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-OEDCompiler/Analytic
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TCCORE/Analytic
  2⤵
  PID:1408
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TCTIP/Analytic
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TIP/Analytic
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPNAT/Diagnostic
  2⤵
  PID:776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPSEC-SRV/Diagnostic
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Debug
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Operational
  2⤵
  PID:4752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Analytic
  2⤵
  PID:1404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Operational
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic
  2⤵
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Input-HIDCLASS-Analytic
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-InputSwitch/Diagnostic
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
  2⤵
  PID:644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Debug
  2⤵
  PID:1620
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Operational
  2⤵
  PID:2784
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Trace
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KdsSvc/Operational
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kerberos/Operational
  2⤵
  PID:3824
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Acpi/Diagnostic
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-AppCompat/General
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-AppCompat/Performance
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Analytic
  2⤵
  PID:2444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Debug
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Operational
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Analytic
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Operational
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Disk/Analytic
  2⤵
  - Clears Windows event logs
  PID:4268
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Admin
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Analytic
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-File/Analytic
  2⤵
  PID:1852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IO/Operational
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic
  2⤵
  PID:3432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IoTrace/Diagnostic
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Analytic
  2⤵
  PID:4004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Operational
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Memory/Analytic
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Network/Analytic
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Pdc/Diagnostic
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Pep/Diagnostic
  2⤵
  PID:4020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
  2⤵
  PID:3040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-PnP/Configuration
  2⤵
  PID:1656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
  2⤵
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
  2⤵
  - Clears Windows event logs
  PID:4532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Diagnostic
  2⤵
  PID:3624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Diagnostic
  2⤵
  - Clears Windows event logs
  PID:940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Operational
  2⤵
  PID:1192
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Prefetch/Diagnostic
  2⤵
  PID:3244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Process/Analytic
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Processor-Power/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:4732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Analytic
  2⤵
  PID:2876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Performance
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Debug
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Diagnostic
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Operational
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Analytic
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational
  2⤵
  - Clears Windows event logs
  PID:4912
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Analytic
  2⤵
  - Clears Windows event logs
  PID:4636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Debug
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Operational
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Errors
  2⤵
  PID:3048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Operational
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-XDV/Analytic
  2⤵
  - Clears Windows event logs
  PID:1788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Admin
  2⤵
  PID:3852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Operational
  2⤵
  PID:2448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Performance
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Known Folders API Service"
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-L2NA/Diagnostic
  2⤵
  PID:2616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LDAP-Client/Debug
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Diagnostic
  2⤵
  PID:4752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Operational
  2⤵
  PID:1404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Performance
  2⤵
  PID:2416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LUA-ConsentUI/Diagnostic
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Analytic
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Debug
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Operational
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LimitsManagement/Diagnostic
  2⤵
  PID:4276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic
  2⤵
  PID:1912
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
  2⤵
  PID:4040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Analytic
  2⤵
  PID:2032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Operational
  2⤵
  PID:3616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic
  2⤵
  PID:2384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-CLNT/Diagnostic
  2⤵
  PID:1536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-DRV/Diagnostic
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-SRV/Diagnostic
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSFTEDIT/Diagnostic
  2⤵
  PID:2412
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Admin
  2⤵
  PID:760
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Debug
  2⤵
  PID:1480
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Diagnostic
  2⤵
  PID:3396
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Admin
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Analytic
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Debug
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Operational
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/DMC
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/DMR
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/MDE
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter
  2⤵
  PID:3764
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader
  2⤵
  PID:1132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/Transform
  2⤵
  PID:1380
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-PlayAPI/Analytic
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
  2⤵
  PID:3064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Minstore/Analytic
  2⤵
  PID:2168
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Minstore/Debug
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic
  2⤵
  PID:4224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic
  2⤵
  PID:372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
  2⤵
  PID:2872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MobilityCenter/Performance
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
  2⤵
  PID:548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mprddm/Operational
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Analytic
  2⤵
  PID:400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Operational
  2⤵
  PID:932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDF-HelperClassDiscovery/Debug
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS-PacketCapture/Diagnostic
  2⤵
  PID:3428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Diagnostic
  2⤵
  PID:324
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Operational
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NTLM/Operational
  2⤵
  PID:4504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NWiFi/Diagnostic
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Narrator/Diagnostic
  2⤵
  PID:448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ncasvc/Operational
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Diagnostic
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Operational
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NdisImPlatform/Operational
  2⤵
  PID:3448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ndu/Diagnostic
  2⤵
  PID:3296
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetShell/Performance
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-Connection-Broker
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-DataUsage/Analytic
  2⤵
  PID:3828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-Setup/Diagnostic
  2⤵
  PID:2420
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-and-Sharing-Center/Diagnostic
  2⤵
  PID:1288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkBridge/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:1316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkLocationWizard/Operational
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Diagnostic
  2⤵
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Operational
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvider/Operational
  2⤵
  PID:4060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Analytic
  2⤵
  PID:644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Operational
  2⤵
  PID:1620
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkSecurity/Debug
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkStatus/Analytic
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-Correlation/Diagnostic
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-RealTimeCommunication/Tracing
  2⤵
  - System Time Discovery
  PID:4736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Diagnostic
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Operational
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Operational
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Performance
  2⤵
  PID:2444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/WHC
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLE/Clipboard-Performance
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Debug
  2⤵
  PID:2580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Diagnostic
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-Core/Diagnostic
  2⤵
  PID:4268
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Diagnostic
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Operational
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic
  2⤵
  PID:1852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OcpUpdateAgent/Operational
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Analytic
  2⤵
  PID:3432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Debug
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/SyncLog
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneBackup/Debug
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Diagnostic
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Operational
  2⤵
  PID:1700
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OobeLdr/Analytic
  2⤵
  PID:4020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OtpCredentialProvider/Operational
  2⤵
  - Clears Windows event logs
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PCI/Diagnostic
  2⤵
  PID:1656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Analytic
  2⤵
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Debug
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Operational
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ParentalControls/Operational
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Analytic
  2⤵
  PID:3624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Diagnostic
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionRuntime/Operational
  2⤵
  PID:3856
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionSensorDataService/Operational
  2⤵
  PID:2064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Analytic
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Operational
  2⤵
  PID:1732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Analytic
  2⤵
  PID:1792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic
  2⤵
  PID:2160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Operational
  2⤵
  PID:1068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Analytic
  2⤵
  PID:2004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Certification
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Diagnose
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Operational
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PhotoAcq/Analytic
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PlayToManager/Analytic
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Analytic
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Operational
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceStatusProvider/Analytic
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceSyncProvider/Analytic
  2⤵
  PID:1408
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Power-Meter-Polling/Diagnostic
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCfg/Diagnostic
  2⤵
  - Power Settings
  PID:2392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCpl/Diagnostic
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic
  2⤵
  PID:4656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug
  2⤵
  - Clears Windows event logs
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
  2⤵
  PID:1860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Admin
  2⤵
  PID:4608
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Analytic
  2⤵
  PID:2980
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Debug
  2⤵
  PID:1176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Operational
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrimaryNetworkIcon/Performance
  2⤵
  PID:2732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintBRM/Admin
  2⤵
  - Clears Windows event logs
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService-USBMon/Debug
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Admin
  2⤵
  PID:4816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Debug
  2⤵
  - Clears Windows event logs
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Operational
  2⤵
  PID:3616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Privacy-Auditing/Operational
  2⤵
  PID:1848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ProcessStateManager/Diagnostic
  2⤵
  PID:3436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/Analytic
  2⤵
  PID:4868
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade
  2⤵
  PID:2976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
  2⤵
  PID:2220
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Diagnostic
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Informational
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Performance
  2⤵
  PID:1756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Developer/Debug
  2⤵
  PID:3988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-InProc/Debug
  2⤵
  - Clears Windows event logs
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Admin
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Debug
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Operational
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-Pacer/Diagnostic
  2⤵
  PID:4004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-qWAVE/Debug
  2⤵
  PID:2868
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC-Proxy/Debug
  2⤵
  PID:2668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/Debug
  2⤵
  PID:5080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/EEInfo
  2⤵
  - Clears Windows event logs
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RRAS/Debug
  2⤵
  PID:3376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RRAS/Operational
  2⤵
  PID:3040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RadioManager/Analytic
  2⤵
  PID:3944
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic
  2⤵
  PID:2428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RasAgileVpn/Debug
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RasAgileVpn/Operational
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReFS/Operational
  2⤵
  PID:4836
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Analytic
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Operational
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Analytic
  2⤵
  PID:4904
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Operational
  2⤵
  PID:548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Regsvr32/Operational
  2⤵
  PID:1568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
  2⤵
  PID:1528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Admin
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Operational
  2⤵
  PID:400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Tracing
  2⤵
  PID:1476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug
  2⤵
  PID:3428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  2⤵
  PID:2540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug
  2⤵
  PID:1060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug
  2⤵
  PID:3672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
  2⤵
  PID:448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Remotefs-Rdbss/Diagnostic
  2⤵
  PID:4032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Remotefs-Rdbss/Operational
  2⤵
  PID:4680
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ResetEng-Trace/Diagnostic
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational
  2⤵
  PID:2260
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ResourcePublication/Tracing
  2⤵
  PID:2392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RestartManager/Operational
  2⤵
  PID:776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RetailDemo/Admin
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RetailDemo/Operational
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Graphics/Analytic
  2⤵
  PID:3208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing
  2⤵
  PID:1252
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Networking/Tracing
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Web-Http/Tracing
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-WebAPI/Tracing
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode
  2⤵
  - Clears Windows event logs
  PID:4040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime/CreateInstance
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime/Error
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/Analytic
  2⤵
  PID:4736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/HelperClassDiagnostic
  2⤵
  PID:1644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/ObjectStateDiagnostic
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/Operational
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Admin
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Debug
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Netmon
  2⤵
  PID:1888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Analytic
  2⤵
  PID:3396
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Audit
  2⤵
  PID:4140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Connectivity
  2⤵
  PID:2456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Diagnostic
  2⤵
  PID:4268
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Operational
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Performance
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Security
  2⤵
  PID:2496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBWitnessClient/Admin
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBWitnessClient/Informational
  2⤵
  PID:1948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SPB-ClassExtension/Analytic
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SPB-HIDI2C/Analytic
  2⤵
  PID:1132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Schannel-Events/Perf
  2⤵
  PID:4924
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sdbus/Analytic
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sdbus/Debug
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sdstor/Analytic
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Search-Core/Diagnostic
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Search-ProtocolHandlers/Diagnostic
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SearchUI/Diagnostic
  2⤵
  PID:4956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SearchUI/Operational
  2⤵
  PID:372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecureAssessment/Operational
  2⤵
  PID:2760
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Adminless/Operational
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic
  2⤵
  PID:4152
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Operational
  2⤵
  - Clears Windows event logs
  PID:940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
  2⤵
  PID:2024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-IdentityListener/Operational
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-IdentityStore/Performance
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Mitigations/KernelMode
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Mitigations/UserMode
  2⤵
  PID:932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Netlogon/Operational
  2⤵
  PID:2000
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-GC/Analytic
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
  2⤵
  PID:324
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX/Analytic
  2⤵
  PID:4504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP/Perf
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-UserConsentVerifier/Audit
  2⤵
  PID:2372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Vault/Performance
  2⤵
  PID:1520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Admin
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Operational
  2⤵
  PID:848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Perf
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SendTo/Diagnostic
  2⤵
  PID:1408
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sens/Debug
  2⤵
  - Clears Windows event logs
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sensors/Debug
  2⤵
  PID:2616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sensors/Performance
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Serial-ClassExtension-V2/Analytic
  2⤵
  PID:4656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Serial-ClassExtension/Analytic
  2⤵
  PID:3632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ServiceReportingApi/Debug
  2⤵
  PID:2416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Services-Svchost/Diagnostic
  2⤵
  PID:3956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Services/Diagnostic
  2⤵
  PID:4608
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Servicing/Debug
  2⤵
  PID:2980
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-Azure/Debug
  2⤵
  PID:1176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-Azure/Operational
  2⤵
  PID:4988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Analytic
  2⤵
  PID:2732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Debug
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Operational
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Analytic
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Debug
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Operational
  2⤵
  PID:3616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/VerboseDebug
  2⤵
  PID:1848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Setup/Analytic
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupCl/Analytic
  2⤵
  PID:2412
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupPlatform/Analytic
  2⤵
  PID:760
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupQueue/Analytic
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupUGC/Analytic
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic
  2⤵
  PID:5112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AppWizCpl/Diagnostic
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Common/Diagnostic
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic
  2⤵
  PID:1852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/ActionCenter
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/AppDefaults
  2⤵
  PID:3120
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/Diagnostic
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/LogonTasksChannel
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/Operational
  2⤵
  PID:3064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-DefaultPrograms/Diagnostic
  2⤵
  PID:2168
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-LockScreenContent/Diagnostic
  2⤵
  PID:4596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-OpenWith/Diagnostic
  2⤵
  PID:1656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Shwebsvc
  2⤵
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-ZipFolder/Diagnostic
  2⤵
  PID:2272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
  2⤵
  PID:2016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shsvcs/Diagnostic
  2⤵
  PID:2632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SleepStudy/Diagnostic
  2⤵
  PID:2724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-Audit/Authentication
  2⤵
  PID:540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-DeviceEnum/Operational
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin
  2⤵
  PID:4732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartScreen/Debug
  2⤵
  PID:5068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Audit
  2⤵
  PID:376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Connectivity
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Diagnostic
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Security
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Speech-UserExperience/Diagnostic
  2⤵
  PID:2004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Spell-Checking/Analytic
  2⤵
  PID:4636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SpellChecker/Analytic
  2⤵
  PID:404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Spellchecking-Host/Analytic
  2⤵
  PID:2204
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SruMon/Diagnostic
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SrumTelemetry
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Debug
  2⤵
  - Clears Windows event logs
  PID:1788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Diagnostic
  2⤵
  PID:4680
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Operational
  2⤵
  PID:4712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Restricted
  2⤵
  PID:3884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorDiag/Operational
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorPort/Operational
  2⤵
  PID:3828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Admin
  2⤵
  - Clears Windows event logs
  PID:776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Analytic
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Debug
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Diagnose
  2⤵
  PID:3208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Operational
  2⤵
  PID:1252
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Admin
  2⤵
  PID:3080
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Analytic
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Debug
  2⤵
  PID:644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Diagnose
  2⤵
  PID:1620
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Operational
  2⤵
  PID:4940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Admin
  2⤵
  PID:2264
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Analytic
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Debug
  2⤵
  PID:4380
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Diagnose
  2⤵
  PID:3760
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Operational
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Admin
  2⤵
  PID:1816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Analytic
  2⤵
  PID:3772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Debug
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Diagnose
  2⤵
  PID:2884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Health
  2⤵
  PID:4976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Operational
  2⤵
  - Clears Windows event logs
  PID:1888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Tiering-IoHeat/Heat
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Tiering/Admin
  2⤵
  PID:4140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageManagement/Debug
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageManagement/Operational
  2⤵
  PID:4268
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSettings/Diagnostic
  2⤵
  PID:1308
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Diagnostic
  2⤵
  PID:4460
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Operational
  2⤵
  - Clears Windows event logs
  PID:3432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Performance
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
  2⤵
  PID:1948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
  2⤵
  PID:1908
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-SpaceManager/Operational
  2⤵
  PID:1132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Store/Operational
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storsvc/Diagnostic
  2⤵
  PID:2972
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Subsys-Csr/Operational
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Subsys-SMSS/Operational
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/Main
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/PfApLog
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/StoreLog
  2⤵
  - Clears Windows event logs
  PID:2428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sysmon/Operational
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sysprep/Analytic
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-System-Profile-HardwareId/Diagnostic
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsHandlers/Debug
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Debug
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Diagnostic
  2⤵
  PID:4904
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Operational
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TCPIP/Diagnostic
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TCPIP/Operational
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msctf/Debug
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msctf/Diagnostic
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msutb/Debug
  2⤵
  PID:400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msutb/Diagnostic
  2⤵
  PID:932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TTS/Diagnostic
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinAPI/Diagnostic
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinUI/Diagnostic
  2⤵
  PID:324
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinUI/Operational
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZSync/Analytic
  2⤵
  - Clears Windows event logs
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZSync/Operational
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZUtil/Operational
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Debug
  2⤵
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Diagnostic
  2⤵
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Maintenance
  2⤵
  PID:3020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Operational
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskbarCPL/Diagnostic
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic
  2⤵
  PID:2616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
  2⤵
  PID:1860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Debug
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-MediaRedirection/Analytic
  2⤵
  - Clears Windows event logs
  PID:4728
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Admin
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Analytic
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Debug
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Operational
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Admin
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Analytic
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Debug
  2⤵
  PID:4736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Operational
  2⤵
  PID:3616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Analytic
  2⤵
  PID:1848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Debug
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Operational
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Tethering-Manager/Analytic
  2⤵
  - Clears Windows event logs
  PID:2224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Tethering-Station/Analytic
  2⤵
  PID:4004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ThemeCPL/Diagnostic
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ThemeUI/Diagnostic
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Threat-Intelligence/Analytic
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Time-Service/Operational
  2⤵
  PID:4104
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Troubleshooting-Recommended/Admin
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Troubleshooting-Recommended/Operational
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TunnelDriver
  2⤵
  - Clears Windows event logs
  PID:3860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC-FileVirtualization/Operational
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC/Operational
  2⤵
  - Clears Windows event logs
  PID:2428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UI-Shell/Diagnostic
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAnimation/Diagnostic
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Debug
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Diagnostic
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Perf
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIRibbon/Diagnostic
  2⤵
  PID:4904
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-MAUSBHOST-Analytic
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-UCX-Analytic
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBHUB/Diagnostic
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBHUB3-Analytic
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBPORT/Diagnostic
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBXHCI-Analytic
  2⤵
  PID:400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic
  2⤵
  PID:932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UniversalTelemetryClient/Operational
  2⤵
  PID:1424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
  2⤵
  PID:3360
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
  2⤵
  PID:324
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel/Diagnostic"
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel/Operational"
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Device Registration/Admin"
  2⤵
  PID:3332
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Device Registration/Debug"
  2⤵
  PID:4716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Diagnostic"
  2⤵
  - Clears Windows event logs
  PID:1876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Operational"
  2⤵
  - Clears Windows event logs
  PID:1532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-User-Loader/Analytic
  2⤵
  - Clears Windows event logs
  PID:3020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-User-Loader/Operational
  2⤵
  PID:4064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserAccountControl/Diagnostic
  2⤵
  PID:4280
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserModePowerService/Diagnostic
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/ActionCenter
  2⤵
  PID:2616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceInstall
  2⤵
  PID:4112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceMetadata/Debug
  2⤵
  - Clears Windows event logs
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/Performance
  2⤵
  PID:1860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/SchedulerOperations
  2⤵
  PID:2628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UxInit/Diagnostic
  2⤵
  PID:4932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UxTheme/Diagnostic
  2⤵
  PID:4356
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VAN/Diagnostic
  2⤵
  PID:4728
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VDRVROOT/Operational
  2⤵
  PID:3816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VHDMP-Analytic
  2⤵
  PID:1832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VHDMP-Operational
  2⤵
  PID:5100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VIRTDISK-Analytic
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VPN-Client/Operational
  2⤵
  PID:4200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VPN/Operational
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VWiFi/Diagnostic
  2⤵
  PID:4736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VerifyHardwareSecurity/Admin
  2⤵
  PID:3616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VerifyHardwareSecurity/Operational
  2⤵
  PID:1848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Volume/Diagnostic
  2⤵
  PID:4076
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeControl/Performance
  2⤵
  PID:4600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeSnapshot-Driver/Analytic
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeSnapshot-Driver/Operational
  2⤵
  - Clears Windows event logs
  PID:2212
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WABSyncProvider/Analytic
  2⤵
  PID:4792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WCN-Config-Registrar/Diagnostic
  2⤵
  PID:1672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WCNWiz/Analytic
  2⤵
  PID:2812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WEPHOSTSVC/Operational
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WER-PayloadHealth/Operational
  2⤵
  PID:5024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Analytic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Operational
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-AutoConfig/Operational
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-Autoconfig/Diagnostic
  2⤵
  PID:2224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-Driver/Analytic
  2⤵
  PID:4004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-MediaManager/Diagnostic
  2⤵
  PID:2536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLANConnectionFlow/Diagnostic
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Debug
  2⤵
  PID:4232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Operational
  2⤵
  PID:4016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Trace
  2⤵
  PID:4104
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPDMCUI/Diagnostic
  2⤵
  PID:3628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic
  2⤵
  PID:4452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-Service/Diagnostic
  2⤵
  PID:3860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-Service/Operational
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSSUI/Diagnostic
  2⤵
  PID:2428
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-API/Analytic
  2⤵
  PID:456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Analytic
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Operational
  2⤵
  PID:3660
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Analytic
  2⤵
  PID:2924
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Operational
  2⤵
  PID:3644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPBT/Analytic
  2⤵
  PID:4904
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPClassDriver/Analytic
  2⤵
  PID:1236
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPClassDriver/Operational
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPIP/Analytic
  2⤵
  PID:3564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPUS/Analytic
  2⤵
  - Clears Windows event logs
  PID:2160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WSC-SRV/Diagnostic
  2⤵
  PID:1776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WUSA/Debug
  2⤵
  PID:4100

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES21DB.tmp

Filesize
1KB

MD5
7cfc7d573be831e3b38a87bac2b751f5

SHA1
d8964f4dbac684f3eadba939dd51b52e1323712c

SHA256
fff0cbcbd080bb21b782d2d5047211165b7f937c49a6e7630cb60669b246aeb2

SHA512
a10f3260efa974bb84b716d503e67c3d7745f930c5e0f880b6485eb5a6474bbdeef04c4ada708f52fdf587620d27e502b7add336f030be673b112bff0227cdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB611.tmp

Filesize
1KB

MD5
2c5fdb1fd373d9d8a07766b87928a6ce

SHA1
aed77cefd3dfdc9d3355dc901170c28ff0c416a7

SHA256
d00c08893816d5189cf38fea0943ecf88e483cd08b0fdf642e2f0512103a8958

SHA512
400b0bf012eb4067f67d47702d18d9000e7742d31c46e9d6cc0988f2cdd1d0303b62adbf745f8df16f53269c683b63123f45231dc702abdebf659e25da535ddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s1fk2i44.bxg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\f5ajiq3m\f5ajiq3m.dll

Filesize
3KB

MD5
42ac23dfc0c8c085fc4a4448231c4d41

SHA1
613d06f0fdbb29764b82d3b38a34405a025998ba

SHA256
980f2f3d843a95a0eda1e5be01520bb9d20b871ca5b31819e36c2ae8bd2461cc

SHA512
1bad11b8c58afd2b9849eff4efb5adc5aa5bfa569be8f86ccddab53bd1d0fc3730eb5f41bed7bdc5451b98fb6f8cfa054c8c851f4b238808349cc095748684fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgdknzcw\kgdknzcw.dll

Filesize
3KB

MD5
e9640f4a172d59377a974f4e5881efb4

SHA1
e668ba0f864e3841f0493aaffc3f0217f355d1b7

SHA256
22f60e632d30339e53e0d636a6f571b67eda166463a6bef9fa1a8200197161a0

SHA512
7e8d57d08b569b3ed321fef138e56fcd17d09f3c97e223a34e2c9a1ca81e50407076353815a80df11c83db9c05ecd5716c934f74458e9f6a913f8cac5c2f25b9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5ajiq3m\CSC85A91C7335C5407AB3398AB2793E782.TMP

Filesize
652B

MD5
04a1fa741e706f544be333653abdb41b

SHA1
b528572ee4baac652d4883363c3771a6c3046bda

SHA256
43be251715b07d3f6baa860af4b1391b6b764018979e3d3dccf352128756c851

SHA512
f01bd3299027dd1236f6e165c058298e46d4444a6fccf1d24ddf2555be01d4c9a3694d9b1bf769fb48d0f0c7339918ed7c3ea98b38348e8611f6db7d89efe86b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5ajiq3m\f5ajiq3m.0.cs

Filesize
249B

MD5
7df2964601813e20ea90bc7eca64b00b

SHA1
a8ad7c0e81f3b6edd66269283ff1603491edca3b

SHA256
daf8a1ae523190ef51054e143909966e01c3b6f531c72b9524d91254eacd6084

SHA512
4970916854df38bd3e55021c3d4f802b3db5a4d64a4570817edeb8c42d6e335a4e989bfcfdead96c2ee8776cc54ad09ef609090ccd34b849532d5f3f6caf42e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\f5ajiq3m\f5ajiq3m.cmdline

Filesize
369B

MD5
f2257eed9ba936bcd62a56544d756ad5

SHA1
3b697e8fcb23c82f5087ae537a00f066b9955f36

SHA256
1358dfc1c551980a362a99676ddd5466fd5affc3362a025744d631210067e54b

SHA512
4fec192d45625714d9b16cb9345e9393184c6729e1764cc1ec777144d8542f8a9eec9c8364e44753e945b1112bf46283ee06560d9a4757bddd0a54da5b56a140

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kgdknzcw\CSCF9BFAF3251E2454EB19799E4E67D1C97.TMP

Filesize
652B

MD5
18cd6c7e7130dd9e8725eed8d9e7d0f9

SHA1
b94cad1d6ca3a7026e0feef9c65d403e6f922904

SHA256
992c04bfdb242023d6b9c833774654b08358a74059ee39313a437d69265b1dac

SHA512
36ad367b2a5716f6bb47df70722fd83bb8902528054b6217a6ef18aa67598fe01b78a15894ea212a9581edce74a6ec4f27520658bb4b1d9b9053eae71c018a04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kgdknzcw\kgdknzcw.0.cs

Filesize
696B

MD5
b794645974059bd125405f327c5ace77

SHA1
d332d8821d1eee8e5db75ec151df5ec945bec334

SHA256
afd81c914fe8fa7ee32be6a797f46a2a829908b45d59100c1052a7baf2a347da

SHA512
dc8e4aa0b35a02d7f43868bce8602ac3941341f74e2f2de6bb79dbb8eb9372431cd7179f3701a09d574ea449735738d9ba368b78fe4fe7fa6f9856536c19f8f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kgdknzcw\kgdknzcw.cmdline

Filesize
369B

MD5
d4b3f27430d29ab88c1e1c7f60aa8af9

SHA1
9902076e16ec0d973676fcdd9536dc9c4fd11bc6

SHA256
a502134ac72125fffc5271f87592d32566c775e6f4b0ba67c5914699adb96207

SHA512
89026eb324578989a162bd3dda815305031ca0296d831fe6d22f862424e06f72406f097d6f9550f917ee3c5d6304beb9127f35b9e106418617309a7a87fc29d0

Download Submit
memory/4628-27-0x00007FF9DAC00000-0x00007FF9DB6C1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-31-0x00007FF9DAC00000-0x00007FF9DB6C1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-32-0x00007FF9DAC03000-0x00007FF9DAC05000-memory.dmp

Filesize
8KB

Download
memory/4628-33-0x00007FF9DAC00000-0x00007FF9DB6C1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-34-0x00007FF9DAC00000-0x00007FF9DB6C1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-25-0x0000027004480000-0x0000027004488000-memory.dmp

Filesize
32KB

Download
memory/4628-0-0x00007FF9DAC03000-0x00007FF9DAC05000-memory.dmp

Filesize
8KB

Download
memory/4628-12-0x00007FF9DAC00000-0x00007FF9DB6C1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-11-0x00007FF9DAC00000-0x00007FF9DB6C1000-memory.dmp

Filesize
10.8MB

Download
memory/4628-48-0x000002701CF90000-0x000002701CF98000-memory.dmp

Filesize
32KB

Download
memory/4628-10-0x00000270044A0000-0x00000270044C2000-memory.dmp

Filesize
136KB

Download