e04ca52275d940234c4cf1744c64712513319668dbf7a0d77111a03cf9fdba40

Analysis

max time kernel
121s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Arata_Verdacrypt.ps1
Size

34KB
MD5

470f24b0d1fcbfaae2ba8286ab64f0f2
SHA1

cefe5f8886ed2468f7834c5ed0abafbee7083245
SHA256

e04ca52275d940234c4cf1744c64712513319668dbf7a0d77111a03cf9fdba40
SHA512

e108433b636de0454ff3cdb4822be12b84950e5cf32f63ded0b2d2d532f570357156e15aacd7a8b95aabcd7f4280609e1fcde32146883ab866e1d65600768715
SSDEEP

384:thz/snUBSzj5mMEEpi0D04eEMls/11AUfoUHaWPw3+4CFYV5jIyJu7Y:NM5mME00xEbrl6Yq+40+IF7Y

Score

9^/10

defense_evasion discovery execution persistence privilege_escalation ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
3112	wevtutil.exe
1968	wevtutil.exe
1384	wevtutil.exe
4840	wevtutil.exe
216	wevtutil.exe
1580	wevtutil.exe
672	wevtutil.exe
3592	wevtutil.exe
8	wevtutil.exe
4112	wevtutil.exe
2000	Process not Found
1180	wevtutil.exe
1228	wevtutil.exe
2368	wevtutil.exe
2404	wevtutil.exe
2228	wevtutil.exe
1028	wevtutil.exe
2880	wevtutil.exe
720	wevtutil.exe
2940	wevtutil.exe
3796	wevtutil.exe
4772	wevtutil.exe
2820	wevtutil.exe
4476	wevtutil.exe
3128	Process not Found
2372	wevtutil.exe
2752	wevtutil.exe
2692	wevtutil.exe
3540	wevtutil.exe
4088	wevtutil.exe
1384	wevtutil.exe
4668	wevtutil.exe
4920	wevtutil.exe
720	wevtutil.exe
4588	wevtutil.exe
4148	wevtutil.exe
4584	wevtutil.exe
3448	Process not Found
2656	wevtutil.exe
3724	wevtutil.exe
3112	wevtutil.exe
820	wevtutil.exe
4828	wevtutil.exe
2940	wevtutil.exe
3788	wevtutil.exe
1144	wevtutil.exe
900	Process not Found
2656	wevtutil.exe
4472	wevtutil.exe
916	wevtutil.exe
5008	wevtutil.exe
4488	Process not Found
1152	Process not Found
3276	Process not Found
4392	wevtutil.exe
968	wevtutil.exe
5032	wevtutil.exe
1548	wevtutil.exe
2792	wevtutil.exe
1144	wevtutil.exe
1664	wevtutil.exe
3232	wevtutil.exe
2920	wevtutil.exe
672	wevtutil.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5084	wevtutil.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1236	powershell.exe

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
4112	wevtutil.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\CLSID	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}\InprocServer32\	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1236	powershell.exe
1236	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeSecurityPrivilege	3060	wevtutil.exe
Token: SeBackupPrivilege	3060	wevtutil.exe
Token: SeSecurityPrivilege	3796	wevtutil.exe
Token: SeBackupPrivilege	3796	wevtutil.exe
Token: SeSecurityPrivilege	2504	wevtutil.exe
Token: SeBackupPrivilege	2504	wevtutil.exe
Token: SeSecurityPrivilege	3524	wevtutil.exe
Token: SeBackupPrivilege	3524	wevtutil.exe
Token: SeSecurityPrivilege	1952	wevtutil.exe
Token: SeBackupPrivilege	1952	wevtutil.exe
Token: SeSecurityPrivilege	2248	wevtutil.exe
Token: SeBackupPrivilege	2248	wevtutil.exe
Token: SeSecurityPrivilege	1736	wevtutil.exe
Token: SeBackupPrivilege	1736	wevtutil.exe
Token: SeSecurityPrivilege	1084	wevtutil.exe
Token: SeBackupPrivilege	1084	wevtutil.exe
Token: SeSecurityPrivilege	1540	wevtutil.exe
Token: SeBackupPrivilege	1540	wevtutil.exe
Token: SeSecurityPrivilege	720	wevtutil.exe
Token: SeBackupPrivilege	720	wevtutil.exe
Token: SeSecurityPrivilege	4284	wevtutil.exe
Token: SeBackupPrivilege	4284	wevtutil.exe
Token: SeSecurityPrivilege	1652	wevtutil.exe
Token: SeBackupPrivilege	1652	wevtutil.exe
Token: SeSecurityPrivilege	2404	wevtutil.exe
Token: SeBackupPrivilege	2404	wevtutil.exe
Token: SeSecurityPrivilege	2184	wevtutil.exe
Token: SeBackupPrivilege	2184	wevtutil.exe
Token: SeSecurityPrivilege	4516	wevtutil.exe
Token: SeBackupPrivilege	4516	wevtutil.exe
Token: SeSecurityPrivilege	4848	wevtutil.exe
Token: SeBackupPrivilege	4848	wevtutil.exe
Token: SeSecurityPrivilege	1436	wevtutil.exe
Token: SeBackupPrivilege	1436	wevtutil.exe
Token: SeSecurityPrivilege	768	wevtutil.exe
Token: SeBackupPrivilege	768	wevtutil.exe
Token: SeSecurityPrivilege	4960	wevtutil.exe
Token: SeBackupPrivilege	4960	wevtutil.exe
Token: SeSecurityPrivilege	2104	wevtutil.exe
Token: SeBackupPrivilege	2104	wevtutil.exe
Token: SeSecurityPrivilege	3724	wevtutil.exe
Token: SeBackupPrivilege	3724	wevtutil.exe
Token: SeSecurityPrivilege	2656	wevtutil.exe
Token: SeBackupPrivilege	2656	wevtutil.exe
Token: SeSecurityPrivilege	820	wevtutil.exe
Token: SeBackupPrivilege	820	wevtutil.exe
Token: SeSecurityPrivilege	1204	wevtutil.exe
Token: SeBackupPrivilege	1204	wevtutil.exe
Token: SeSecurityPrivilege	2928	wevtutil.exe
Token: SeBackupPrivilege	2928	wevtutil.exe
Token: SeSecurityPrivilege	672	wevtutil.exe
Token: SeBackupPrivilege	672	wevtutil.exe
Token: SeSecurityPrivilege	748	wevtutil.exe
Token: SeBackupPrivilege	748	wevtutil.exe
Token: SeSecurityPrivilege	1852	wevtutil.exe
Token: SeBackupPrivilege	1852	wevtutil.exe
Token: SeSecurityPrivilege	2172	wevtutil.exe
Token: SeBackupPrivilege	2172	wevtutil.exe
Token: SeSecurityPrivilege	2672	wevtutil.exe
Token: SeBackupPrivilege	2672	wevtutil.exe
Token: SeSecurityPrivilege	1176	wevtutil.exe
Token: SeBackupPrivilege	1176	wevtutil.exe
Token: SeSecurityPrivilege	4320	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 900	1236	powershell.exe	87
PID 1236 wrote to memory of 900	1236	powershell.exe	87
PID 900 wrote to memory of 4644	900	csc.exe	88
PID 900 wrote to memory of 4644	900	csc.exe	88
PID 1236 wrote to memory of 632	1236	powershell.exe	93
PID 1236 wrote to memory of 632	1236	powershell.exe	93
PID 1236 wrote to memory of 3060	1236	powershell.exe	95
PID 1236 wrote to memory of 3060	1236	powershell.exe	95
PID 1236 wrote to memory of 3796	1236	powershell.exe	96
PID 1236 wrote to memory of 3796	1236	powershell.exe	96
PID 1236 wrote to memory of 2504	1236	powershell.exe	97
PID 1236 wrote to memory of 2504	1236	powershell.exe	97
PID 1236 wrote to memory of 3524	1236	powershell.exe	98
PID 1236 wrote to memory of 3524	1236	powershell.exe	98
PID 1236 wrote to memory of 1952	1236	powershell.exe	99
PID 1236 wrote to memory of 1952	1236	powershell.exe	99
PID 1236 wrote to memory of 2248	1236	powershell.exe	100
PID 1236 wrote to memory of 2248	1236	powershell.exe	100
PID 1236 wrote to memory of 1736	1236	powershell.exe	101
PID 1236 wrote to memory of 1736	1236	powershell.exe	101
PID 1236 wrote to memory of 1084	1236	powershell.exe	175
PID 1236 wrote to memory of 1084	1236	powershell.exe	175
PID 1236 wrote to memory of 1540	1236	powershell.exe	176
PID 1236 wrote to memory of 1540	1236	powershell.exe	176
PID 1236 wrote to memory of 720	1236	powershell.exe	177
PID 1236 wrote to memory of 720	1236	powershell.exe	177
PID 1236 wrote to memory of 4284	1236	powershell.exe	105
PID 1236 wrote to memory of 4284	1236	powershell.exe	105
PID 1236 wrote to memory of 1652	1236	powershell.exe	106
PID 1236 wrote to memory of 1652	1236	powershell.exe	106
PID 1236 wrote to memory of 2404	1236	powershell.exe	107
PID 1236 wrote to memory of 2404	1236	powershell.exe	107
PID 1236 wrote to memory of 2184	1236	powershell.exe	108
PID 1236 wrote to memory of 2184	1236	powershell.exe	108
PID 1236 wrote to memory of 4516	1236	powershell.exe	109
PID 1236 wrote to memory of 4516	1236	powershell.exe	109
PID 1236 wrote to memory of 4848	1236	powershell.exe	110
PID 1236 wrote to memory of 4848	1236	powershell.exe	110
PID 1236 wrote to memory of 1436	1236	powershell.exe	111
PID 1236 wrote to memory of 1436	1236	powershell.exe	111
PID 1236 wrote to memory of 768	1236	powershell.exe	186
PID 1236 wrote to memory of 768	1236	powershell.exe	186
PID 1236 wrote to memory of 4960	1236	powershell.exe	113
PID 1236 wrote to memory of 4960	1236	powershell.exe	113
PID 1236 wrote to memory of 2104	1236	powershell.exe	114
PID 1236 wrote to memory of 2104	1236	powershell.exe	114
PID 1236 wrote to memory of 3724	1236	powershell.exe	116
PID 1236 wrote to memory of 3724	1236	powershell.exe	116
PID 1236 wrote to memory of 2656	1236	powershell.exe	117
PID 1236 wrote to memory of 2656	1236	powershell.exe	117
PID 1236 wrote to memory of 820	1236	powershell.exe	118
PID 1236 wrote to memory of 820	1236	powershell.exe	118
PID 1236 wrote to memory of 1204	1236	powershell.exe	119
PID 1236 wrote to memory of 1204	1236	powershell.exe	119
PID 1236 wrote to memory of 2928	1236	powershell.exe	120
PID 1236 wrote to memory of 2928	1236	powershell.exe	120
PID 1236 wrote to memory of 672	1236	powershell.exe	121
PID 1236 wrote to memory of 672	1236	powershell.exe	121
PID 1236 wrote to memory of 748	1236	powershell.exe	122
PID 1236 wrote to memory of 748	1236	powershell.exe	122
PID 1236 wrote to memory of 1852	1236	powershell.exe	123
PID 1236 wrote to memory of 1852	1236	powershell.exe	123
PID 1236 wrote to memory of 2172	1236	powershell.exe	124
PID 1236 wrote to memory of 2172	1236	powershell.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Arata_Verdacrypt.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\os32efxg\os32efxg.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8FFB.tmp" "c:\Users\Admin\AppData\Local\Temp\os32efxg\CSC2F3ADE3EFE44BE1AA11D07DC66D38A.TMP"
    3⤵
    PID:4644
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\SomeTask
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" el
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3796
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Application
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:720
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "General Logging"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
  2⤵
  - Clears Windows event logs
  - Suspicious use of AdjustPrivilegeToken
  PID:3724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
  2⤵
  PID:2912
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
  2⤵
  PID:2704
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
  2⤵
  PID:5040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
  2⤵
  PID:3088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
  2⤵
  - Clears Windows event logs
  PID:2372
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
  2⤵
  PID:3084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
  2⤵
  PID:3768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
  2⤵
  PID:1352
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
  2⤵
  PID:2752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
  2⤵
  PID:2800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
  2⤵
  PID:2440
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
  2⤵
  PID:3056
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
  2⤵
  PID:1748
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
  2⤵
  PID:3444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
  2⤵
  PID:1272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
  2⤵
  PID:4424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
  2⤵
  PID:4876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
  2⤵
  PID:4040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
  2⤵
  PID:3844
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
  2⤵
  PID:1540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
  2⤵
  - Clears Windows event logs
  PID:2920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
  2⤵
  PID:1968
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
  2⤵
  PID:4404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
  2⤵
  PID:4636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
  2⤵
  PID:4532
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
  2⤵
  - Clears Windows event logs
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
  2⤵
  PID:4228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
  2⤵
  PID:768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
  2⤵
  PID:3464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
  2⤵
  PID:4028
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
  2⤵
  PID:2956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
  2⤵
  PID:968
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
  2⤵
  PID:1512
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
  2⤵
  PID:4580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
  2⤵
  PID:2336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
  2⤵
  PID:3888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
  2⤵
  PID:2596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
  2⤵
  PID:756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
  2⤵
  PID:3088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
  2⤵
  PID:3200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
  2⤵
  - Clears Windows event logs
  PID:3112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
  2⤵
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
  2⤵
  PID:2800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
  2⤵
  PID:2440
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
  2⤵
  PID:3056
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
  2⤵
  PID:4900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
  2⤵
  - Clears Windows event logs
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
  2⤵
  PID:4544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
  2⤵
  PID:1604
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
  2⤵
  PID:1180
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
  2⤵
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
  2⤵
  PID:4536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
  2⤵
  PID:4632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
  2⤵
  PID:1940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
  2⤵
  PID:2104
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
  2⤵
  PID:3724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
  2⤵
  PID:60
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
  2⤵
  PID:4956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
  2⤵
  PID:3456
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheMonitoring/Analytic
  2⤵
  PID:672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
  2⤵
  PID:3752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
  2⤵
  PID:4348
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
  2⤵
  PID:3664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
  2⤵
  PID:3888
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
  2⤵
  PID:4408
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentInitialize
  2⤵
  PID:2596
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentUninitialize
  2⤵
  PID:756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Call
  2⤵
  PID:3088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/CreateInstance
  2⤵
  PID:2896
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ExtensionCatalog
  2⤵
  PID:2316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/FreeUnusedLibrary
  2⤵
  PID:4000
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/RundownInstrumentation
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Activations
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/MessageProcessing
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Tracing
  2⤵
  PID:3448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
  2⤵
  PID:3232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Cleanmgr/Diagnostic
  2⤵
  PID:4920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ClearTypeTextTuner/Diagnostic
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Debug
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CloudStore/Operational
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CmiSetup/Analytic
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Operational
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CodeIntegrity/Verbose
  2⤵
  PID:3056
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Analytic
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ComDlg32/Debug
  2⤵
  PID:736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Analytic
  2⤵
  PID:1136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Compat-Appraiser/Operational
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Debug
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-BindFlt/Operational
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Debug
  2⤵
  PID:4724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcifs/Operational
  2⤵
  PID:4900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Debug
  2⤵
  - Clears Windows event logs
  PID:2792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Containers-Wcnfs/Operational
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Diagnostic
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Operational
  2⤵
  PID:4544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreApplication/Tracing
  2⤵
  PID:1604
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational
  2⤵
  PID:2284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreWindow/Analytic
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CoreWindow/Debug
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Client/Operational
  2⤵
  PID:2544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CorruptedFileRecovery-Server/Operational
  2⤵
  - Clears Windows event logs
  PID:1180
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crashdump/Operational
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CredUI/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-BCRYPT/Analytic
  2⤵
  PID:4536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-CNG/Analytic
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc
  2⤵
  PID:1968
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Debug
  2⤵
  PID:2184
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DPAPI/Operational
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-DSSEnh/Analytic
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-NCrypt/Operational
  2⤵
  PID:1436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RNG/Analytic
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Crypto-RSAEnh/Analytic
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/Analytic
  2⤵
  PID:2508
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-D3D10Level9/PerfTiming
  2⤵
  PID:4188
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Analytic
  2⤵
  PID:3820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAL-Provider/Operational
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DAMM/Diagnostic
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DCLocator/Debug
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DDisplay/Analytic
  2⤵
  PID:2928
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DDisplay/Logging
  2⤵
  - Clears Windows event logs
  PID:968
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DLNA-Namespace/Analytic
  2⤵
  PID:2172
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DNS-Client/Operational
  2⤵
  - Clears Windows event logs
  PID:1228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Admin
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Analytic
  2⤵
  PID:1612
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Debug
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DSC/Operational
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUI/Diagnostic
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DUSER/Diagnostic
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Analytic
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXGI/Logging
  2⤵
  PID:2316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DXP/Analytic
  2⤵
  - Clears Windows event logs
  PID:3112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Data-Pdf/Debug
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/Admin
  2⤵
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DataIntegrityScan/CrashRecovery
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Analytic
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Debug
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DateTimeControlPanel/Operational
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Diagnostic
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Operational
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Performance
  2⤵
  - Clears Windows event logs
  PID:4920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deduplication/Scrubbing
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Defrag-Core/Debug
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Deplorch/Analytic
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DesktopActivityModerator/Diagnostic
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceAssociationService/Performance
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceConfidence/Analytic
  2⤵
  PID:4880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Operational
  2⤵
  PID:916
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceGuard/Verbose
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
  2⤵
  PID:780
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug
  2⤵
  PID:4468
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Admin
  2⤵
  PID:4144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Analytic
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Debug
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSetupManager/Operational
  2⤵
  PID:3580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Analytic
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceSync/Operational
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUpdateAgent/Operational
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Informational
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DeviceUx/Performance
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Devices-Background/Operational
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Admin
  2⤵
  PID:3444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcp-Client/Operational
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Admin
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dhcpv6-Client/Operational
  2⤵
  PID:4148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiagCpl/Debug
  2⤵
  PID:4876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Analytic
  2⤵
  PID:3756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Debug
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-DPS/Operational
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-MSDE/Debug
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Analytic
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Debug
  2⤵
  - Clears Windows event logs
  PID:720
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PCW/Operational
  2⤵
  PID:2400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Debug
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-PLA/Operational
  2⤵
  - Clears Windows event logs
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Perfhost/Analytic
  2⤵
  - Clears Windows event logs
  PID:4588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scheduled/Operational
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Admin
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Analytic
  2⤵
  PID:3932
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Debug
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-Scripted/Operational
  2⤵
  PID:4228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug
  2⤵
  PID:1940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDC/Analytic
  2⤵
  PID:2104
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnosis-WDI/Debug
  2⤵
  PID:3724
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Debug
  2⤵
  - Clears Windows event logs
  PID:820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Networking/Operational
  2⤵
  PID:60
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic
  2⤵
  PID:1800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic
  2⤵
  PID:2748
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback
  2⤵
  PID:4320
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Diagnostics-Performance/Operational
  2⤵
  PID:4024
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10/Analytic
  2⤵
  - Clears Windows event logs
  PID:4828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D10_1/Analytic
  2⤵
  PID:5040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Analytic
  2⤵
  PID:4924
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/Logging
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D11/PerfTiming
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/Analytic
  2⤵
  PID:3200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/Logging
  2⤵
  PID:1524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D12/PerfTiming
  2⤵
  - Clears Windows event logs
  PID:2752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3D9/Analytic
  2⤵
  PID:2432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Direct3DShaderCache/Default
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectComposition/Diagnostic
  2⤵
  PID:2312
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectManipulation/Diagnostic
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectShow-KernelSupport/Performance
  2⤵
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DirectSound/Debug
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Disk/Operational
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnostic/Operational
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticDataCollector/Operational
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DiskDiagnosticResolver/Operational
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/Analytic
  2⤵
  PID:4072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/ExternalAnalytic
  2⤵
  PID:3036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Api/InternalAnalytic
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dism-Cli/Analytic
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Debug
  2⤵
  PID:468
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplayColorCalibration/Operational
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DisplaySwitch/Diagnostic
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Documents/Performance
  2⤵
  PID:1716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dot3MM/Diagnostic
  2⤵
  PID:3496
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DriverFrameworks-UserMode/Operational
  2⤵
  PID:3568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DucUpdateAgent/Operational
  2⤵
  PID:2436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-API/Diagnostic
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Core/Diagnostic
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Dwm/Diagnostic
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Redir/Diagnostic
  2⤵
  PID:4136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Dwm-Udwm/Diagnostic
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Admin
  2⤵
  PID:244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl-Operational
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Contention
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Diagnostic
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Performance
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxgKrnl/Power
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-DxpTaskSyncProvider/Analytic
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Application-Learning/Admin
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-Regular/Admin
  2⤵
  PID:3444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EDP-Audit-TCB/Admin
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EFS/Debug
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/IODiagnose
  2⤵
  - Clears Windows event logs
  PID:4148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ESE/Operational
  2⤵
  PID:4876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Analytic
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Debug
  2⤵
  PID:3756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapHost/Operational
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasChap/Operational
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-RasTls/Operational
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Sim/Operational
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EapMethods-Ttls/Operational
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EaseOfAccess/Diagnostic
  2⤵
  PID:2400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/EventLog
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Energy-Estimation-Engine/Trace
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Debug
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventCollector/Operational
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog-WMIProvider/Debug
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Analytic
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-EventLog/Debug
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Analytic
  2⤵
  PID:2508
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Debug
  2⤵
  PID:1744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FMS/Operational
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FailoverClustering-Client/Diagnostic
  2⤵
  PID:4616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Fault-Tolerant-Heap/Operational
  2⤵
  PID:1228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Analytic
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FeatureConfiguration/Operational
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Catalog/Analytic
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Catalog/Debug
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-ConfigManager/Analytic
  2⤵
  PID:3200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-ConfigManager/Debug
  2⤵
  PID:3112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/Analytic
  2⤵
  PID:3300
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/Debug
  2⤵
  - Clears Windows event logs
  PID:2368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Core/WHC
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/Analytic
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/BackupLog
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Engine/Debug
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Analytic
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-EventListener/Debug
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Service/Analytic
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-Service/Debug
  2⤵
  PID:4164
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-UI-Events/Analytic
  2⤵
  PID:4920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileHistory-UI-Events/Debug
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-FileInfoMinifilter/Operational
  2⤵
  PID:4744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Firewall-CPL/Diagnostic
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Folder Redirection/Operational"
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Debug
  2⤵
  PID:4944
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Forwarding/Operational
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GPIO-ClassExtension/Analytic
  2⤵
  PID:4880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GenericRoaming/Admin
  2⤵
  PID:916
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-GroupPolicy/Operational
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HAL/Debug
  2⤵
  PID:780
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Debug
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenter/Performance
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HealthCenterCPL/Performance
  2⤵
  PID:4144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HelloForBusiness/Operational
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Help/Operational
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
  2⤵
  PID:3580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
  2⤵
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
  2⤵
  PID:1152
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HomeGroup-ListenerService
  2⤵
  PID:4900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Analytic
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HotspotAuth/Operational
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Log
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-HttpService/Trace
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Admin
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Debug
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Guest-Drivers/Operational
  2⤵
  PID:4772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Admin
  2⤵
  PID:1540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Analytic
  2⤵
  PID:1652
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-Hypervisor-Operational
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-NETVSC/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:720
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Admin
  2⤵
  PID:4632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Hyper-V-VID-Analytic
  2⤵
  PID:2400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IE-SmartScreen
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKE/Operational
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IKEDBG/Debug
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-Broker/Analytic
  2⤵
  PID:3792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CandidateUI/Analytic
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CustomerFeedbackManager/Debug
  2⤵
  PID:3788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPAPI/Analytic
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPLMP/Analytic
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPPRED/Analytic
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPSetting/Analytic
  2⤵
  PID:2068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-JPTIP/Analytic
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-KRAPI/Analytic
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-KRTIP/Analytic
  2⤵
  PID:5084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-OEDCompiler/Analytic
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TCCORE/Analytic
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TCTIP/Analytic
  2⤵
  PID:2752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IME-TIP/Analytic
  2⤵
  PID:2432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPNAT/Diagnostic
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPSEC-SRV/Diagnostic
  2⤵
  PID:2312
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Debug
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IPxlatCfg/Operational
  2⤵
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Analytic
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IdCtrls/Operational
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Input-HIDCLASS-Analytic
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-InputSwitch/Diagnostic
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-International-RegionalOptionsControlPanel/Operational
  2⤵
  PID:2692
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Debug
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Operational
  2⤵
  PID:2440
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Iphlpsvc/Trace
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KdsSvc/Operational
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kerberos/Operational
  2⤵
  PID:4740
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Acpi/Diagnostic
  2⤵
  PID:3288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-AppCompat/General
  2⤵
  PID:2600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-AppCompat/Performance
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Analytic
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Debug
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ApphelpCache/Operational
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Analytic
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Boot/Operational
  2⤵
  PID:3056
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
  2⤵
  PID:1488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Disk/Analytic
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Admin
  2⤵
  PID:244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-EventTracing/Analytic
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-File/Analytic
  2⤵
  PID:4972
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IO/Operational
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-IoTrace/Diagnostic
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Analytic
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-LiveDump/Operational
  2⤵
  PID:556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Memory/Analytic
  2⤵
  PID:1272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Network/Analytic
  2⤵
  PID:4424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Pdc/Diagnostic
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Pep/Diagnostic
  2⤵
  PID:4040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-PnP/Configuration
  2⤵
  PID:3756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
  2⤵
  - Clears Windows event logs
  PID:2404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:2940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Diagnostic
  2⤵
  PID:1968
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Power/Thermal-Operational
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Prefetch/Diagnostic
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Process/Analytic
  2⤵
  PID:3544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Processor-Power/Diagnostic
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Analytic
  2⤵
  PID:4960
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-Registry/Performance
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Debug
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Diagnostic
  2⤵
  PID:2952
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-ShimEngine/Operational
  2⤵
  PID:2508
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Analytic
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-StoreMgr/Operational
  2⤵
  PID:1008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Analytic
  2⤵
  PID:2172
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Debug
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WDI/Operational
  2⤵
  PID:1228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Errors
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-WHEA/Operational
  2⤵
  PID:4624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Kernel-XDV/Analytic
  2⤵
  PID:3144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Admin
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Operational
  2⤵
  PID:4000
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-KeyboardFilter/Performance
  2⤵
  PID:3744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Known Folders API Service"
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-L2NA/Diagnostic
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LDAP-Client/Debug
  2⤵
  PID:4484
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Diagnostic
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Operational
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LSA/Performance
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LUA-ConsentUI/Diagnostic
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Analytic
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Debug
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LanguagePackSetup/Operational
  2⤵
  PID:3036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LimitsManagement/Diagnostic
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational
  2⤵
  PID:468
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Analytic
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-LiveId/Operational
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-CLNT/Diagnostic
  2⤵
  PID:3288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-DRV/Diagnostic
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MPS-SRV/Diagnostic
  2⤵
  PID:5044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSFTEDIT/Diagnostic
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Admin
  2⤵
  PID:3132
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Debug
  2⤵
  PID:816
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MSPaint/Diagnostic
  2⤵
  PID:4136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Admin
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Analytic
  2⤵
  PID:5064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Debug
  2⤵
  PID:244
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MUI/Operational
  2⤵
  PID:4640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/DMC
  2⤵
  PID:4972
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/DMR
  2⤵
  PID:1368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Media-Streaming/MDE
  2⤵
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader
  2⤵
  PID:556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-MFReadWrite/Transform
  2⤵
  PID:1272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-Performance/SARStreamResource
  2⤵
  PID:4424
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MediaFoundation-PlayAPI/Analytic
  2⤵
  PID:3524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MemoryDiagnostics-Results/Debug
  2⤵
  PID:4040
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Minstore/Analytic
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Minstore/Debug
  2⤵
  PID:3756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic
  2⤵
  PID:436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational
  2⤵
  PID:2404
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-MobilityCenter/Performance
  2⤵
  - Clears Windows event logs
  PID:1968
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot
  2⤵
  PID:3304
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug
  2⤵
  PID:1436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Mprddm/Operational
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Analytic
  2⤵
  - Clears Windows event logs
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NCSI/Operational
  2⤵
  PID:768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDF-HelperClassDiscovery/Debug
  2⤵
  PID:3820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS-PacketCapture/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:2656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Diagnostic
  2⤵
  PID:4192
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NDIS/Operational
  2⤵
  PID:1592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NTLM/Operational
  2⤵
  PID:4440
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NWiFi/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:1664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Narrator/Diagnostic
  2⤵
  PID:756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ncasvc/Operational
  2⤵
  PID:3084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Diagnostic
  2⤵
  PID:3768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NcdAutoSetup/Operational
  2⤵
  PID:3200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NdisImPlatform/Operational
  2⤵
  PID:3112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ndu/Diagnostic
  2⤵
  PID:3300
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetShell/Performance
  2⤵
  PID:2368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-Connection-Broker
  2⤵
  PID:228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-DataUsage/Analytic
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-Setup/Diagnostic
  2⤵
  PID:2524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Network-and-Sharing-Center/Diagnostic
  2⤵
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkBridge/Diagnostic
  2⤵
  PID:4488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkLocationWizard/Operational
  2⤵
  PID:2452
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Diagnostic
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProfile/Operational
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvider/Operational
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Analytic
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkProvisioning/Operational
  2⤵
  PID:3036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkSecurity/Debug
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NetworkStatus/Analytic
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-Correlation/Diagnostic
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Networking-RealTimeCommunication/Tracing
  2⤵
  - System Time Discovery
  PID:4112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Diagnostic
  2⤵
  PID:512
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-NlaSvc/Operational
  2⤵
  PID:1716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Operational
  2⤵
  PID:916
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/Performance
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ntfs/WHC
  2⤵
  PID:5044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLE/Clipboard-Performance
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Debug
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OLEACC/Diagnostic
  2⤵
  PID:840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic
  2⤵
  PID:1072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-Core/Diagnostic
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Diagnostic
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-DUI/Operational
  2⤵
  PID:2088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OcpUpdateAgent/Operational
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Analytic
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Debug
  2⤵
  PID:3296
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/Operational
  2⤵
  PID:1684
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OfflineFiles/SyncLog
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneBackup/Debug
  2⤵
  PID:1152
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:3796
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OneX/Operational
  2⤵
  PID:2016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OobeLdr/Analytic
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-OtpCredentialProvider/Operational
  2⤵
  PID:2764
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PCI/Diagnostic
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Analytic
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Debug
  2⤵
  - Clears Windows event logs
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PackageStateRoaming/Operational
  2⤵
  PID:3148
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ParentalControls/Operational
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Analytic
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Partition/Diagnostic
  2⤵
  PID:640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic
  2⤵
  PID:1652
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionRuntime/Operational
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PerceptionSensorDataService/Operational
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Analytic
  2⤵
  PID:4632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic
  2⤵
  PID:1312
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-Nvdimm/Operational
  2⤵
  PID:2184
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Analytic
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic
  2⤵
  PID:4588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-PmemDisk/Operational
  2⤵
  PID:4392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Analytic
  2⤵
  PID:632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Certification
  2⤵
  PID:1632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Diagnose
  2⤵
  PID:3788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PersistentMemory-ScmBus/Operational
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PhotoAcq/Analytic
  2⤵
  PID:1812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PlayToManager/Analytic
  2⤵
  PID:1744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Analytic
  2⤵
  - Clears Windows event logs
  PID:672
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Policy/Operational
  2⤵
  PID:3276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceStatusProvider/Analytic
  2⤵
  PID:2068
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PortableDeviceSyncProvider/Analytic
  2⤵
  PID:2240
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Power-Meter-Polling/Diagnostic
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCfg/Diagnostic
  2⤵
  - Power Settings
  PID:5084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerCpl/Diagnostic
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic
  2⤵
  PID:2000
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug
  2⤵
  PID:3416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Admin
  2⤵
  - Clears Windows event logs
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Analytic
  2⤵
  PID:4556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Debug
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PowerShell/Operational
  2⤵
  PID:1028
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrimaryNetworkIcon/Performance
  2⤵
  - Clears Windows event logs
  PID:3232
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintBRM/Admin
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService-USBMon/Debug
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Admin
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Debug
  2⤵
  - Clears Windows event logs
  PID:2692
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PrintService/Operational
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Privacy-Auditing/Operational
  2⤵
  PID:2440
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ProcessStateManager/Diagnostic
  2⤵
  PID:5092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/Analytic
  2⤵
  PID:468
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin
  2⤵
  PID:2600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug
  2⤵
  PID:3288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Diagnostic
  2⤵
  PID:1864
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Informational
  2⤵
  PID:2500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Proximity-Common/Performance
  2⤵
  PID:1500
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Developer/Debug
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-InProc/Debug
  2⤵
  PID:1936
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Admin
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Debug
  2⤵
  PID:4948
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-PushNotification-Platform/Operational
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-Pacer/Diagnostic
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-QoS-qWAVE/Debug
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC-Proxy/Debug
  2⤵
  PID:3656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/Debug
  2⤵
  - Clears Windows event logs
  PID:3540
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RPC/EEInfo
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RRAS/Debug
  2⤵
  - Clears Windows event logs
  PID:4088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RRAS/Operational
  2⤵
  PID:1020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RadioManager/Analytic
  2⤵
  PID:4900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic
  2⤵
  PID:2016
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RasAgileVpn/Debug
  2⤵
  PID:4544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RasAgileVpn/Operational
  2⤵
  PID:1604
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReFS/Operational
  2⤵
  PID:1952
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Analytic
  2⤵
  PID:2248
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoost/Operational
  2⤵
  PID:1956
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Analytic
  2⤵
  PID:2560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ReadyBoostDriver/Operational
  2⤵
  PID:1180
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Regsvr32/Operational
  2⤵
  - Clears Windows event logs
  PID:4772
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
  2⤵
  PID:2880
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
  2⤵
  PID:4284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Admin
  2⤵
  PID:3392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Operational
  2⤵
  PID:720
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteAssistance/Tracing
  2⤵
  PID:4636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin
  2⤵
  PID:688
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug
  2⤵
  PID:1312
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  2⤵
  PID:2800
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug
  2⤵
  PID:3792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational
  2⤵
  PID:2824
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Remotefs-Rdbss/Diagnostic
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Remotefs-Rdbss/Operational
  2⤵
  PID:1940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ResetEng-Trace/Diagnostic
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Detector/Operational
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Resource-Exhaustion-Resolver/Operational
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ResourcePublication/Tracing
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RestartManager/Operational
  2⤵
  PID:4616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RetailDemo/Admin
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-RetailDemo/Operational
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Graphics/Analytic
  2⤵
  PID:3768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Networking/Tracing
  2⤵
  PID:3112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Web-Http/Tracing
  2⤵
  PID:3300
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-WebAPI/Tracing
  2⤵
  PID:2368
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource
  2⤵
  PID:3476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine
  2⤵
  PID:2312
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource
  2⤵
  PID:3032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode
  2⤵
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime/CreateInstance
  2⤵
  PID:3448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Runtime/Error
  2⤵
  PID:1628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/Analytic
  2⤵
  PID:4224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/HelperClassDiagnostic
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/ObjectStateDiagnostic
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBClient/Operational
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Admin
  2⤵
  PID:3036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Debug
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBDirect/Netmon
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Analytic
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Audit
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Connectivity
  2⤵
  PID:3568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Diagnostic
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Operational
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Performance
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBServer/Security
  2⤵
  PID:5044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBWitnessClient/Admin
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SMBWitnessClient/Informational
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SPB-ClassExtension/Analytic
  2⤵
  PID:840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SPB-HIDI2C/Analytic
  2⤵
  PID:1836
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Schannel-Events/Perf
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sdbus/Analytic
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sdbus/Debug
  2⤵
  PID:2088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sdstor/Analytic
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Search-Core/Diagnostic
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Search-ProtocolHandlers/Diagnostic
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SearchUI/Diagnostic
  2⤵
  PID:3296
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SearchUI/Operational
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecureAssessment/Operational
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Adminless/Operational
  2⤵
  PID:1152
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Audit-Configuration-Client/Operational
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-IdentityListener/Operational
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-IdentityStore/Performance
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Mitigations/KernelMode
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Mitigations/UserMode
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Netlogon/Operational
  2⤵
  PID:640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-GC/Analytic
  2⤵
  PID:1652
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP-UX/Analytic
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-SPP/Perf
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-UserConsentVerifier/Audit
  2⤵
  PID:3544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Security-Vault/Performance
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Admin
  2⤵
  PID:4960
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Operational
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SecurityMitigationsBroker/Perf
  2⤵
  PID:4228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SendTo/Diagnostic
  2⤵
  PID:2952
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sens/Debug
  2⤵
  PID:8
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sensors/Debug
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sensors/Performance
  2⤵
  PID:1940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Serial-ClassExtension-V2/Analytic
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Serial-ClassExtension/Analytic
  2⤵
  - Clears Windows event logs
  PID:2656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ServiceReportingApi/Debug
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Services-Svchost/Diagnostic
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Services/Diagnostic
  2⤵
  PID:4616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Servicing/Debug
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-Azure/Debug
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-Azure/Operational
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Analytic
  2⤵
  PID:2316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Debug
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync-OneDrive/Operational
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Analytic
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Debug
  2⤵
  - Clears Windows event logs
  PID:4472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/Operational
  2⤵
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SettingSync/VerboseDebug
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Setup/Analytic
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupCl/Analytic
  2⤵
  PID:1028
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupPlatform/Analytic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupQueue/Analytic
  2⤵
  - Clears Windows event logs
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SetupUGC/Analytic
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic
  2⤵
  PID:4524
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AppWizCpl/Diagnostic
  2⤵
  PID:2736
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic
  2⤵
  PID:3036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Common/Diagnostic
  2⤵
  PID:1820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic
  2⤵
  PID:4388
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic
  2⤵
  PID:1884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic
  2⤵
  PID:2592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic
  2⤵
  PID:3568
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic
  2⤵
  PID:5052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/ActionCenter
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/AppDefaults
  2⤵
  PID:5044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/Diagnostic
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/LogonTasksChannel
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Core/Operational
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-DefaultPrograms/Diagnostic
  2⤵
  PID:840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-LockScreenContent/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:3592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-OpenWith/Diagnostic
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-Shwebsvc
  2⤵
  PID:2088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shell-ZipFolder/Diagnostic
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational
  2⤵
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Shsvcs/Diagnostic
  2⤵
  PID:3296
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SleepStudy/Diagnostic
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-Audit/Authentication
  2⤵
  PID:3572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-DeviceEnum/Operational
  2⤵
  PID:1152
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin
  2⤵
  PID:1284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmartScreen/Debug
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Audit
  2⤵
  PID:2504
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Connectivity
  2⤵
  PID:3520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Diagnostic
  2⤵
  PID:2768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SmbClient/Security
  2⤵
  PID:5032
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Speech-UserExperience/Diagnostic
  2⤵
  PID:1600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Spell-Checking/Analytic
  2⤵
  PID:3528
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SpellChecker/Analytic
  2⤵
  PID:812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Spellchecking-Host/Analytic
  2⤵
  PID:640
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SruMon/Diagnostic
  2⤵
  PID:1652
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SrumTelemetry
  2⤵
  PID:4572
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Debug
  2⤵
  PID:4432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Diagnostic
  2⤵
  - Clears Windows event logs
  PID:2228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Operational
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StateRepository/Restricted
  2⤵
  PID:3544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorDiag/Operational
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorPort/Operational
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Admin
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Analytic
  2⤵
  PID:4228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Debug
  2⤵
  PID:2952
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Diagnose
  2⤵
  - Clears Windows event logs
  PID:8
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ATAPort/Operational
  2⤵
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Admin
  2⤵
  PID:1940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Analytic
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Debug
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Diagnose
  2⤵
  - Clears Windows event logs
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-ClassPnP/Operational
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Admin
  2⤵
  PID:4616
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Analytic
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Debug
  2⤵
  PID:4872
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Diagnose
  2⤵
  PID:4664
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Disk/Operational
  2⤵
  PID:2316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Admin
  2⤵
  PID:3600
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Analytic
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Debug
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Diagnose
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Health
  2⤵
  - Clears Windows event logs
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Storport/Operational
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Tiering-IoHeat/Heat
  2⤵
  PID:876
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storage-Tiering/Admin
  2⤵
  - Clears Windows event logs
  PID:1028
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageManagement/Debug
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageManagement/Operational
  2⤵
  PID:2820
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSettings/Diagnostic
  2⤵
  PID:316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Diagnostic
  2⤵
  PID:3140
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Operational
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-Driver/Performance
  2⤵
  PID:4740
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-ManagementAgent/WHC
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic
  2⤵
  PID:468
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-StorageSpaces-SpaceManager/Operational
  2⤵
  PID:2436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Store/Operational
  2⤵
  PID:780
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Storsvc/Diagnostic
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Subsys-Csr/Operational
  2⤵
  PID:5008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Subsys-SMSS/Operational
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/Main
  2⤵
  PID:3316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/PfApLog
  2⤵
  PID:3004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Superfetch/StoreLog
  2⤵
  PID:2376
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sysmon/Operational
  2⤵
  PID:4144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Sysprep/Analytic
  2⤵
  PID:4136
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-System-Profile-HardwareId/Diagnostic
  2⤵
  PID:4776
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsHandlers/Debug
  2⤵
  PID:2212
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Debug
  2⤵
  PID:740
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Diagnostic
  2⤵
  PID:1988
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-SystemSettingsThreshold/Operational
  2⤵
  PID:208
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TCPIP/Diagnostic
  2⤵
  PID:4972
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TCPIP/Operational
  2⤵
  PID:2548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msctf/Debug
  2⤵
  PID:4088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msctf/Diagnostic
  2⤵
  PID:3128
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msutb/Debug
  2⤵
  PID:624
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TSF-msutb/Diagnostic
  2⤵
  PID:556
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TTS/Diagnostic
  2⤵
  PID:1272
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinAPI/Diagnostic
  2⤵
  PID:1604
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinUI/Diagnostic
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TWinUI/Operational
  2⤵
  PID:2248
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZSync/Analytic
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZSync/Operational
  2⤵
  PID:3756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TZUtil/Operational
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Debug
  2⤵
  PID:4536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Diagnostic
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Maintenance
  2⤵
  PID:4284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskScheduler/Operational
  2⤵
  - Clears Windows event logs
  PID:2940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TaskbarCPL/Diagnostic
  2⤵
  PID:4632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
  2⤵
  PID:2400
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic
  2⤵
  PID:2184
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug
  2⤵
  PID:1328
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
  2⤵
  PID:3544
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
  2⤵
  PID:1580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic
  2⤵
  PID:4516
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Debug
  2⤵
  PID:1044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  2⤵
  PID:4628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-MediaRedirection/Analytic
  2⤵
  - Clears Windows event logs
  PID:3788
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Admin
  2⤵
  PID:2588
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Analytic
  2⤵
  - Clears Windows event logs
  PID:1144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Debug
  2⤵
  PID:1744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-PnPDevices/Operational
  2⤵
  PID:1712
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Admin
  2⤵
  PID:1228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Analytic
  2⤵
  PID:4476
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Debug
  2⤵
  PID:2240
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-Printers/Operational
  2⤵
  PID:4036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Analytic
  2⤵
  PID:3200
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Debug
  2⤵
  PID:3976
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RDPClient/Operational
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture
  2⤵
  PID:2432
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback
  2⤵
  PID:3300
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
  2⤵
  PID:2056
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic
  2⤵
  PID:4444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug
  2⤵
  - Clears Windows event logs
  PID:4584
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
  2⤵
  PID:4092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
  2⤵
  - Clears Windows event logs
  PID:4840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic
  2⤵
  PID:3448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug
  2⤵
  PID:2828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
  2⤵
  PID:4224
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Tethering-Manager/Analytic
  2⤵
  PID:4464
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Tethering-Station/Analytic
  2⤵
  PID:3052
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ThemeCPL/Diagnostic
  2⤵
  PID:1392
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ThemeUI/Diagnostic
  2⤵
  PID:2492
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Threat-Intelligence/Analytic
  2⤵
  PID:5092
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational
  2⤵
  - Clears Windows event logs
  PID:4112
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Time-Service/Operational
  2⤵
  PID:3028
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Troubleshooting-Recommended/Admin
  2⤵
  PID:1716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Troubleshooting-Recommended/Operational
  2⤵
  PID:2620
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-TunnelDriver
  2⤵
  PID:884
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC-FileVirtualization/Operational
  2⤵
  PID:2564
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UAC/Operational
  2⤵
  PID:2860
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UI-Shell/Diagnostic
  2⤵
  PID:920
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAnimation/Diagnostic
  2⤵
  PID:5044
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Debug
  2⤵
  PID:4160
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Diagnostic
  2⤵
  PID:4644
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIAutomationCore/Perf
  2⤵
  PID:628
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UIRibbon/Diagnostic
  2⤵
  PID:840
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-MAUSBHOST-Analytic
  2⤵
  PID:3592
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-UCX-Analytic
  2⤵
  PID:3580
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBHUB/Diagnostic
  2⤵
  PID:4832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBHUB3-Analytic
  2⤵
  PID:900
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBPORT/Diagnostic
  2⤵
  PID:4416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBXHCI-Analytic
  2⤵
  - Clears Windows event logs
  PID:4668
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic
  2⤵
  - Clears Windows event logs
  PID:1548
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UniversalTelemetryClient/Operational
  2⤵
  PID:4100
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
  2⤵
  PID:2792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
  2⤵
  PID:3444
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel/Diagnostic"
  2⤵
  PID:1808
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Control Panel/Operational"
  2⤵
  PID:3796
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Device Registration/Admin"
  2⤵
  PID:216
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Device Registration/Debug"
  2⤵
  PID:4048
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Diagnostic"
  2⤵
  PID:2248
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-User Profile Service/Operational"
  2⤵
  PID:4288
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-User-Loader/Analytic
  2⤵
  PID:3756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-User-Loader/Operational
  2⤵
  PID:4560
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserAccountControl/Diagnostic
  2⤵
  PID:4536
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserModePowerService/Diagnostic
  2⤵
  PID:1084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/ActionCenter
  2⤵
  PID:4284
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceInstall
  2⤵
  PID:2940
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/DeviceMetadata/Debug
  2⤵
  PID:4632
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/Performance
  2⤵
  PID:2276
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UserPnp/SchedulerOperations
  2⤵
  PID:2228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UxInit/Diagnostic
  2⤵
  PID:5020
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-UxTheme/Diagnostic
  2⤵
  PID:3716
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VAN/Diagnostic
  2⤵
  PID:4336
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VDRVROOT/Operational
  2⤵
  PID:768
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VHDMP-Analytic
  2⤵
  PID:4848
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VHDMP-Operational
  2⤵
  PID:4228
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VIRTDISK-Analytic
  2⤵
  PID:4828
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VPN-Client/Operational
  2⤵
  PID:4192
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VPN/Operational
  2⤵
  PID:2172
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VWiFi/Diagnostic
  2⤵
  PID:1744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VerifyHardwareSecurity/Admin
  2⤵
  PID:5088
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VerifyHardwareSecurity/Operational
  2⤵
  PID:1928
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Volume/Diagnostic
  2⤵
  PID:2656
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeControl/Performance
  2⤵
  PID:4384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeSnapshot-Driver/Analytic
  2⤵
  PID:5084
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-VolumeSnapshot-Driver/Operational
  2⤵
  PID:3220
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WABSyncProvider/Analytic
  2⤵
  PID:2752
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WCN-Config-Registrar/Diagnostic
  2⤵
  PID:2648
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WCNWiz/Analytic
  2⤵
  PID:2316
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WEPHOSTSVC/Operational
  2⤵
  PID:1416
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WER-PayloadHealth/Operational
  2⤵
  PID:4756
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Analytic
  2⤵
  PID:2036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WFP/Operational
  2⤵
  PID:4472
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-AutoConfig/Operational
  2⤵
  PID:1384
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-Autoconfig/Diagnostic
  2⤵
  PID:792
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-Driver/Analytic
  2⤵
  PID:4520
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLAN-MediaManager/Diagnostic
  2⤵
  PID:3124
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WLANConnectionFlow/Diagnostic
  2⤵
  PID:4448
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Debug
  2⤵
  PID:3832
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Operational
  2⤵
  PID:4744
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMI-Activity/Trace
  2⤵
  PID:2864
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPDMCUI/Diagnostic
  2⤵
  PID:3036
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic
  2⤵
  PID:3636
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-Service/Diagnostic
  2⤵
  PID:1064
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSS-Service/Operational
  2⤵
  PID:468
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WMPNSSUI/Diagnostic
  2⤵
  PID:2436
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-API/Analytic
  2⤵
  PID:3484
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Analytic
  2⤵
  - Clears Windows event logs
  PID:916
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-ClassInstaller/Operational
  2⤵
  PID:3176
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Analytic
  2⤵
  - Clears Windows event logs
  PID:5008
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-CompositeClassDriver/Operational
  2⤵
  PID:3812
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPBT/Analytic
  2⤵
  PID:732
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPClassDriver/Analytic
  2⤵
  PID:3004
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPClassDriver/Operational
  2⤵
  PID:1072
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPIP/Analytic
  2⤵
  PID:4144
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WPD-MTPUS/Analytic
  2⤵
  PID:1936
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WSC-SRV/Diagnostic
  2⤵
  PID:1488
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WUSA/Debug
  2⤵
  PID:5116
- C:\Windows\system32\wevtutil.exe
  "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-WWAN-CFE/Diagnostic
  2⤵
  PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Power Settings

T1653

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Query Registry

T1012

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8FFB.tmp

Filesize
1KB

MD5
9135e2b1622138e393d2cc9482a0ff5d

SHA1
c8c9ef119e7397acc509a78e18853fe3a3b0e28f

SHA256
8b759110fcf2fcd6dd421f1421fc0f52a1aff9d943943b8161bdc11773cd379a

SHA512
3cfb071bc71518c0738f3349919d4c091af3b360f880c28d761875e283db1efbb885e11dd478d2d874a2bb4ccce6e4b1b350ba893ab51c81c59062f88ae0c643

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC54.tmp

Filesize
1KB

MD5
f19b794000c3bd940b8e376d11c6056a

SHA1
39d2da1c2fd620db3adaa23e2333d39c929b40b4

SHA256
4ae9032880c0575a2c858acdee5c473348e45843045cc297145a10721981b688

SHA512
0dfeeea1701b6bdc0a89123d697adc680be08aa5881058ffe985b51d3dbfc59616b0f8d0aebe71376b4c50bace3d37c328af669bdb72ae3887963eb12c1be71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bclpd2yo.hwl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\os32efxg\os32efxg.dll

Filesize
3KB

MD5
ccbd856455189e00accc9ed6cba713c4

SHA1
499087782eeee0cd07b68a9b70c9c6c4fc404c37

SHA256
5a8f742afa357f251d9058eef6bf53132808b3fafe4d929a4d3df50fabccb60d

SHA512
919dbd64577b17e788d113885276756acc490536efcf4c37c2cf319a69a20939b815f8e7c0e35cd764ab3c3b01a0fd0eacab7e7ae6cb6de0356a30b403a3bfab

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttqri4hs\ttqri4hs.dll

Filesize
3KB

MD5
28ebf15b2078e97778f8d27ac94a30e0

SHA1
5e07f490ce6268f854ba205fd8cdbef9e0a0e68e

SHA256
5d3ab483353c531731a2d76488ace76a55b467321fac62963591a52c44f8b058

SHA512
2a21d7ac1841ace289833fd666779dd571dde27b903acf2e42d47a86b6e13b4334b8ae15b833f72525e9791a02a43be1f6f8e60fe945aaf78d544cafc326166b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\os32efxg\CSC2F3ADE3EFE44BE1AA11D07DC66D38A.TMP

Filesize
652B

MD5
d89fa1e3df7ec3c664970b5d90efd80b

SHA1
89226b88ec29a9f281fd2f13ac9f68483326f48b

SHA256
b8e3116bcdab91ca5509aa677037ac53515f4d9983e9a2742e0518bbc3d959be

SHA512
1dd62d9dbd8716fb7ae880517f4fcb5e51cea2fb42baeb4a117e95e43025ce6127b56e346da03c8db74a24bc2d61ea5a26dfffff326fded4cc305f7b30ae5d99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\os32efxg\os32efxg.0.cs

Filesize
696B

MD5
b794645974059bd125405f327c5ace77

SHA1
d332d8821d1eee8e5db75ec151df5ec945bec334

SHA256
afd81c914fe8fa7ee32be6a797f46a2a829908b45d59100c1052a7baf2a347da

SHA512
dc8e4aa0b35a02d7f43868bce8602ac3941341f74e2f2de6bb79dbb8eb9372431cd7179f3701a09d574ea449735738d9ba368b78fe4fe7fa6f9856536c19f8f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\os32efxg\os32efxg.cmdline

Filesize
369B

MD5
79815f89439acda70db704dc4fe1a044

SHA1
6dd0096f4cdb60b2b833adec1cdaf8fde12a0198

SHA256
91316ae11623b9315c05c7c508e82ad01baefc3cd593be1771fde657358de2bd

SHA512
904205b18d0b5506d39b7d567ce1f231f78586924f4fac94df25ab52e0831ab6c4850a6509fc0a216484d8bc9f059dc8be1c42e86fdd9a03298ca99d760a081e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttqri4hs\CSCE983A97CE091495B995CC417969C619D.TMP

Filesize
652B

MD5
7bac80d7d41e7da91e99d68f233cb7b9

SHA1
def64d476b5d615e0f0a741f31e1910558778a14

SHA256
00507084c842551bc94c5d67f03ba5c3cda1706acbe797ee8bb30e352188634c

SHA512
6bdfa9629fcb8e7f3e9f3d1ca94d1f18a710e14a01d6c9baf02d304217cb4d56a449f009e4f3dbf410b128761d7f10ac5d4f3b0087cc80da3857d46f1a8c0263

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttqri4hs\ttqri4hs.0.cs

Filesize
249B

MD5
7df2964601813e20ea90bc7eca64b00b

SHA1
a8ad7c0e81f3b6edd66269283ff1603491edca3b

SHA256
daf8a1ae523190ef51054e143909966e01c3b6f531c72b9524d91254eacd6084

SHA512
4970916854df38bd3e55021c3d4f802b3db5a4d64a4570817edeb8c42d6e335a4e989bfcfdead96c2ee8776cc54ad09ef609090ccd34b849532d5f3f6caf42e0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ttqri4hs\ttqri4hs.cmdline

Filesize
369B

MD5
8eb64870f68339967fcdb97dde7dd4d0

SHA1
307da91d6300bca1bf300f02dd3bca3bf4ad91cc

SHA256
5f6d016f2d6dc75ce9036d66185335a95b07dfd9a9b688cafc96090e8d6656bc

SHA512
f944aa96bb8e82a3e9c20b9e2d2e718ad83a12e49b8c00bd6d0163f85e544d8e4e3b24434927c81893be8ca5dd63b10cc30a5475db6cddb2a1abfd2a8aa86083

Download Submit
memory/1236-12-0x00007FFB304D0000-0x00007FFB30F91000-memory.dmp

Filesize
10.8MB

Download
memory/1236-31-0x00007FFB304D3000-0x00007FFB304D5000-memory.dmp

Filesize
8KB

Download
memory/1236-32-0x00007FFB304D0000-0x00007FFB30F91000-memory.dmp

Filesize
10.8MB

Download
memory/1236-33-0x00007FFB304D0000-0x00007FFB30F91000-memory.dmp

Filesize
10.8MB

Download
memory/1236-34-0x00007FFB304D0000-0x00007FFB30F91000-memory.dmp

Filesize
10.8MB

Download
memory/1236-27-0x00007FFB304D0000-0x00007FFB30F91000-memory.dmp

Filesize
10.8MB

Download
memory/1236-25-0x000001AE30A60000-0x000001AE30A68000-memory.dmp

Filesize
32KB

Download
memory/1236-0-0x00007FFB304D3000-0x00007FFB304D5000-memory.dmp

Filesize
8KB

Download
memory/1236-11-0x00007FFB304D0000-0x00007FFB30F91000-memory.dmp

Filesize
10.8MB

Download
memory/1236-10-0x000001AE31570000-0x000001AE31592000-memory.dmp

Filesize
136KB

Download
memory/1236-48-0x000001AE31940000-0x000001AE31948000-memory.dmp

Filesize
32KB

Download