rhysida | 1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
Size

422KB
MD5

4ef0160b3eb114a94aeedd0bb5716058
SHA1

10cb9fa20dec34fa7ceab8248a0deef8ecb7bcef
SHA256

1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd
SHA512

86f4ac8d77a1d50b4ebc74e1992f9487ff1abb3b4e275f0e7a5355b1111f967d0f74958cf5b8dc673da2d384e5944e60deae7005a1b5f0c4dfdd3aa45cfe2b89
SSDEEP

6144:izOLumbr+/LRsL5whr2FaSSJmo7zYrMFFMk3nwH8nTNFT:iUCaJo7tMowHI

Score

10^/10

rhysida credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Signatures

Detect Rhysida ransomware 6 IoCs

resource	yara_rule
behavioral1/memory/2088-7794-0x0000000000400000-0x0000000000479000-memory.dmp	family_rhysida
behavioral1/memory/2088-14885-0x0000000000400000-0x0000000000479000-memory.dmp	family_rhysida
behavioral1/memory/2088-15009-0x0000000000400000-0x0000000000479000-memory.dmp	family_rhysida
behavioral1/memory/2088-15010-0x0000000000400000-0x0000000000479000-memory.dmp	family_rhysida
behavioral1/memory/2088-15011-0x0000000000400000-0x0000000000479000-memory.dmp	family_rhysida
behavioral1/memory/2088-15014-0x0000000000400000-0x0000000000479000-memory.dmp	family_rhysida

Rhysida
Rhysida is a ransomware that is written in C++ and discovered in 2023.
ransomware rhysida
Rhysida family
rhysida

Clears Windows event logs 1 TTPs 64 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
5344	wevtutil.exe
628	wevtutil.exe
6556	wevtutil.exe
6000	wevtutil.exe
6436	Process not Found
6992	wevtutil.exe
2216	Process not Found
2208	Process not Found
2364	wevtutil.exe
3780	wevtutil.exe
4420	wevtutil.exe
4420	Process not Found
2084	wevtutil.exe
964	wevtutil.exe
6992	wevtutil.exe
4308	Process not Found
4888	wevtutil.exe
5548	wevtutil.exe
4220	wevtutil.exe
4752	wevtutil.exe
7120	wevtutil.exe
2520	wevtutil.exe
968	Process not Found
2764	wevtutil.exe
5116	wevtutil.exe
4280	wevtutil.exe
6528	wevtutil.exe
4248	wevtutil.exe
1244	wevtutil.exe
2532	wevtutil.exe
4088	wevtutil.exe
4876	wevtutil.exe
1848	wevtutil.exe
5344	wevtutil.exe
5876	wevtutil.exe
5728	wevtutil.exe
6112	wevtutil.exe
3764	wevtutil.exe
5788	wevtutil.exe
4572	Process not Found
6152	wevtutil.exe
5868	wevtutil.exe
5432	wevtutil.exe
4888	wevtutil.exe
2616	wevtutil.exe
1352	wevtutil.exe
6464	wevtutil.exe
3276	wevtutil.exe
5016	wevtutil.exe
7036	wevtutil.exe
3208	wevtutil.exe
2664	Process not Found
2584	wevtutil.exe
680	wevtutil.exe
6132	wevtutil.exe
5912	wevtutil.exe
5968	wevtutil.exe
4868	wevtutil.exe
3144	wevtutil.exe
2700	wevtutil.exe
1968	wevtutil.exe
4636	wevtutil.exe
4792	wevtutil.exe
5132	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (9625) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5644	Process not Found

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Hide Artifacts: Hidden Window 1 TTPs 2 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3768	Process not Found
5756	Process not Found

Indicator Removal: Clear Persistence 1 TTPs 2 IoCs

Clear artifacts associated with previously established persistence like scheduletasks on a host.

defense_evasion

Clear Persistence

T1070.009

pid	Process
3768	Process not Found
5756	Process not Found

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
296	wevtutil.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Public\\bg.jpg"	Process not Found

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\vlc.mo.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\ca.pak.DATA.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial4-ul-oob.xrm-ms.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Stable.msix.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\ResiliencyLinks\Locales\pt-BR.pak.DATA.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\PSGet.Resource.psd1.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\id.pak.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Fonts\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\win11\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\bun.png.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\icudtl.dat.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-pl.xrm-ms.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Locales\nn.pak.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\resources.pak.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019MSDNR_Retail-ul-phn.xrm-ms.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-ms.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_selected_18.svg.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy.jar.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_fi_135x40.svg.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\dotnet\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ul-oob.xrm-ms.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files\Windows Security\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\ui-strings.js.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_disable\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\133.0.3065.69\CriticalBreachDetected.pdf	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\MSFT_PackageManagementSource.schema.mfl.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\LogoDev.png.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\pa.pak.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OFFSYMT.TTF.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\classlist.rhysida	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5912	Process not Found
5440	Process not Found
4940	Process not Found

System Time Discovery 1 TTPs 1 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
5528	wevtutil.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6380	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4940	Process not Found

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5644	Process not Found
5644	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeSecurityPrivilege	6796	wevtutil.exe
Token: SeBackupPrivilege	6796	wevtutil.exe
Token: SeSecurityPrivilege	6824	wevtutil.exe
Token: SeBackupPrivilege	6824	wevtutil.exe
Token: SeSecurityPrivilege	6836	wevtutil.exe
Token: SeBackupPrivilege	6836	wevtutil.exe
Token: SeSecurityPrivilege	6844	wevtutil.exe
Token: SeBackupPrivilege	6844	wevtutil.exe
Token: SeSecurityPrivilege	6568	wevtutil.exe
Token: SeBackupPrivilege	6568	wevtutil.exe
Token: SeSecurityPrivilege	7112	wevtutil.exe
Token: SeBackupPrivilege	7112	wevtutil.exe
Token: SeSecurityPrivilege	5116	wevtutil.exe
Token: SeBackupPrivilege	5116	wevtutil.exe
Token: SeSecurityPrivilege	6648	wevtutil.exe
Token: SeBackupPrivilege	6648	wevtutil.exe
Token: SeSecurityPrivilege	6252	wevtutil.exe
Token: SeBackupPrivilege	6252	wevtutil.exe
Token: SeSecurityPrivilege	6772	wevtutil.exe
Token: SeBackupPrivilege	6772	wevtutil.exe
Token: SeSecurityPrivilege	6976	wevtutil.exe
Token: SeBackupPrivilege	6976	wevtutil.exe
Token: SeSecurityPrivilege	6984	wevtutil.exe
Token: SeBackupPrivilege	6984	wevtutil.exe
Token: SeSecurityPrivilege	6628	wevtutil.exe
Token: SeBackupPrivilege	6628	wevtutil.exe
Token: SeSecurityPrivilege	6452	wevtutil.exe
Token: SeBackupPrivilege	6452	wevtutil.exe
Token: SeSecurityPrivilege	6360	wevtutil.exe
Token: SeBackupPrivilege	6360	wevtutil.exe
Token: SeSecurityPrivilege	6388	wevtutil.exe
Token: SeBackupPrivilege	6388	wevtutil.exe
Token: SeSecurityPrivilege	6852	wevtutil.exe
Token: SeBackupPrivilege	6852	wevtutil.exe
Token: SeSecurityPrivilege	1796	wevtutil.exe
Token: SeBackupPrivilege	1796	wevtutil.exe
Token: SeSecurityPrivilege	7084	wevtutil.exe
Token: SeBackupPrivilege	7084	wevtutil.exe
Token: SeSecurityPrivilege	6464	wevtutil.exe
Token: SeBackupPrivilege	6464	wevtutil.exe
Token: SeSecurityPrivilege	6424	wevtutil.exe
Token: SeBackupPrivilege	6424	wevtutil.exe
Token: SeSecurityPrivilege	6408	wevtutil.exe
Token: SeBackupPrivilege	6408	wevtutil.exe
Token: SeSecurityPrivilege	6644	wevtutil.exe
Token: SeBackupPrivilege	6644	wevtutil.exe
Token: SeSecurityPrivilege	6764	wevtutil.exe
Token: SeBackupPrivilege	6764	wevtutil.exe
Token: SeSecurityPrivilege	1632	wevtutil.exe
Token: SeBackupPrivilege	1632	wevtutil.exe
Token: SeSecurityPrivilege	4896	wevtutil.exe
Token: SeBackupPrivilege	4896	wevtutil.exe
Token: SeSecurityPrivilege	2616	wevtutil.exe
Token: SeBackupPrivilege	2616	wevtutil.exe
Token: SeSecurityPrivilege	7072	wevtutil.exe
Token: SeBackupPrivilege	7072	wevtutil.exe
Token: SeSecurityPrivilege	7068	wevtutil.exe
Token: SeBackupPrivilege	7068	wevtutil.exe
Token: SeSecurityPrivilege	6916	wevtutil.exe
Token: SeBackupPrivilege	6916	wevtutil.exe
Token: SeSecurityPrivilege	6652	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4448	2088	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe	94
PID 2088 wrote to memory of 4448	2088	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe	94
PID 4448 wrote to memory of 6352	4448	cmd.exe	96
PID 4448 wrote to memory of 6352	4448	cmd.exe	96
PID 6352 wrote to memory of 6380	6352	cmd.exe	97
PID 6352 wrote to memory of 6380	6352	cmd.exe	97
PID 2088 wrote to memory of 6244	2088	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe	101
PID 2088 wrote to memory of 6244	2088	1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe	101
PID 6244 wrote to memory of 6296	6244	cmd.exe	103
PID 6244 wrote to memory of 6296	6244	cmd.exe	103
PID 6296 wrote to memory of 6316	6296	cmd.exe	104
PID 6296 wrote to memory of 6316	6296	cmd.exe	104
PID 6316 wrote to memory of 6796	6316	cmd.exe	105
PID 6316 wrote to memory of 6796	6316	cmd.exe	105
PID 6296 wrote to memory of 6824	6296	cmd.exe	106
PID 6296 wrote to memory of 6824	6296	cmd.exe	106
PID 6296 wrote to memory of 6836	6296	cmd.exe	107
PID 6296 wrote to memory of 6836	6296	cmd.exe	107
PID 6296 wrote to memory of 6844	6296	cmd.exe	108
PID 6296 wrote to memory of 6844	6296	cmd.exe	108
PID 6296 wrote to memory of 6568	6296	cmd.exe	109
PID 6296 wrote to memory of 6568	6296	cmd.exe	109
PID 6296 wrote to memory of 7112	6296	cmd.exe	110
PID 6296 wrote to memory of 7112	6296	cmd.exe	110
PID 6296 wrote to memory of 5116	6296	cmd.exe	111
PID 6296 wrote to memory of 5116	6296	cmd.exe	111
PID 6296 wrote to memory of 6648	6296	cmd.exe	112
PID 6296 wrote to memory of 6648	6296	cmd.exe	112
PID 6296 wrote to memory of 6252	6296	cmd.exe	113
PID 6296 wrote to memory of 6252	6296	cmd.exe	113
PID 6296 wrote to memory of 6772	6296	cmd.exe	114
PID 6296 wrote to memory of 6772	6296	cmd.exe	114
PID 6296 wrote to memory of 6976	6296	cmd.exe	115
PID 6296 wrote to memory of 6976	6296	cmd.exe	115
PID 6296 wrote to memory of 6984	6296	cmd.exe	116
PID 6296 wrote to memory of 6984	6296	cmd.exe	116
PID 6296 wrote to memory of 6628	6296	cmd.exe	117
PID 6296 wrote to memory of 6628	6296	cmd.exe	117
PID 6296 wrote to memory of 6452	6296	cmd.exe	118
PID 6296 wrote to memory of 6452	6296	cmd.exe	118
PID 6296 wrote to memory of 6360	6296	cmd.exe	119
PID 6296 wrote to memory of 6360	6296	cmd.exe	119
PID 6296 wrote to memory of 6388	6296	cmd.exe	120
PID 6296 wrote to memory of 6388	6296	cmd.exe	120
PID 6296 wrote to memory of 6852	6296	cmd.exe	121
PID 6296 wrote to memory of 6852	6296	cmd.exe	121
PID 6296 wrote to memory of 1796	6296	cmd.exe	122
PID 6296 wrote to memory of 1796	6296	cmd.exe	122
PID 6296 wrote to memory of 7084	6296	cmd.exe	123
PID 6296 wrote to memory of 7084	6296	cmd.exe	123
PID 6296 wrote to memory of 6464	6296	cmd.exe	124
PID 6296 wrote to memory of 6464	6296	cmd.exe	124
PID 6296 wrote to memory of 6424	6296	cmd.exe	125
PID 6296 wrote to memory of 6424	6296	cmd.exe	125
PID 6296 wrote to memory of 6408	6296	cmd.exe	126
PID 6296 wrote to memory of 6408	6296	cmd.exe	126
PID 6296 wrote to memory of 6644	6296	cmd.exe	127
PID 6296 wrote to memory of 6644	6296	cmd.exe	127
PID 6296 wrote to memory of 6764	6296	cmd.exe	128
PID 6296 wrote to memory of 6764	6296	cmd.exe	128
PID 6296 wrote to memory of 1632	6296	cmd.exe	129
PID 6296 wrote to memory of 1632	6296	cmd.exe	129
PID 6296 wrote to memory of 4896	6296	cmd.exe	130
PID 6296 wrote to memory of 4896	6296	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe
"C:\Users\Admin\AppData\Local\Temp\1a9c27e5be8c58da1c02fc4245a07831d5d431cdd1a91cd35d2dd0ad62da71cd.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6352
  - - C:\Windows\system32\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:6380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6244
- - C:\Windows\system32\cmd.exe
    cmd.exe /c for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6316
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AMSI/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AirSpaceChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "FirstUXPerf-Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "General Logging"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "IHM_DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationFrameServer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProcD3D"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationAsyncWrapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationContentProtection"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDS"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMP4"
      4⤵
      PID:6776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMediaEngine"
      4⤵
      PID:6040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      PID:7136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformanceCore"
      4⤵
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      PID:4004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      PID:6732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationSrcPrefetch"
      4⤵
      PID:6872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
      4⤵
      PID:6904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Admin"
      4⤵
      PID:5540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Debug"
      4⤵
      PID:1128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Operational"
      4⤵
      PID:7000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      Clears Windows event logs
      PID:5344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
      4⤵
      PID:7140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
      4⤵
      PID:7152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
      4⤵
      PID:6856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
      4⤵
      PID:7076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      PID:7156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      PID:876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:7016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
      4⤵
      PID:6952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:3700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      PID:5504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      PID:5408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      PID:2408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      PID:3572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:4788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      PID:4744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:1924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      PID:1816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
      4⤵
      PID:2520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
      4⤵
      PID:2356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:4552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
      4⤵
      PID:3532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:5052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      PID:4936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
      4⤵
      PID:4812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
      4⤵
      PID:724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
      4⤵
      PID:624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
      4⤵
      PID:5568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
      4⤵
      PID:2568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:2960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:5588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      PID:1488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
      4⤵
      Clears Windows event logs
      PID:2584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
      4⤵
      PID:2596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
      4⤵
      PID:4136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
      4⤵
      PID:3280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
      4⤵
      PID:1208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
      4⤵
      PID:6120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
      4⤵
      PID:5224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
      4⤵
      Clears Windows event logs
      PID:4888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
      4⤵
      Clears Windows event logs
      PID:680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppSruProv"
      4⤵
      Clears Windows event logs
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
      4⤵
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
      4⤵
      PID:5812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
      4⤵
      PID:2544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
      4⤵
      PID:5664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
      4⤵
      PID:1932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
      4⤵
      PID:5788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:2240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:3504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      Clears Windows event logs
      PID:4876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:1808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
      4⤵
      PID:5948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      Clears Windows event logs
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:4364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
      4⤵
      PID:5356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
      4⤵
      PID:2092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
      4⤵
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
      4⤵
      PID:2380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
      4⤵
      Clears Windows event logs
      PID:6132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
      4⤵
      PID:4804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
      4⤵
      Clears Windows event logs
      PID:2084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      Clears Windows event logs
      PID:628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
      4⤵
      Clears Windows event logs
      PID:5912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
      4⤵
      PID:5644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:5092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:5016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
      4⤵
      Clears Windows event logs
      PID:1848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:4728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
      4⤵
      PID:4416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
      4⤵
      PID:5312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:3548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
      4⤵
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
      4⤵
      PID:2472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
      4⤵
      PID:3988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
      4⤵
      PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
      4⤵
      PID:5592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
      4⤵
      PID:4320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
      4⤵
      PID:3912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:2912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
      4⤵
      PID:4568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
      4⤵
      PID:3344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
      4⤵
      PID:5252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
      4⤵
      PID:3868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:1704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:3984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:5900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
      4⤵
      PID:2920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      PID:4948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:4252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
      4⤵
      PID:5524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:3216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
      4⤵
      PID:5956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
      4⤵
      PID:4132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:4748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
      4⤵
      PID:5232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:6520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:4864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:4148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:6540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:1624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:6064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
      4⤵
      PID:3480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Call"
      4⤵
      PID:1428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
      4⤵
      PID:4196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
      4⤵
      PID:5824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
      4⤵
      PID:6556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
      4⤵
      PID:7048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
      4⤵
      PID:5392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:2800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:5728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:5636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
      4⤵
      PID:4912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
      4⤵
      PID:4400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
      4⤵
      PID:4380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:1204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
      4⤵
      PID:5516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:5816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:1692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:4608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:2808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
      4⤵
      PID:3220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
      4⤵
      PID:2572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
      4⤵
      PID:3332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
      4⤵
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
      4⤵
      PID:6136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
      4⤵
      PID:4248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
      4⤵
      PID:4620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
      4⤵
      PID:6184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
      4⤵
      PID:280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
      4⤵
      PID:296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
      4⤵
      PID:4100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
      4⤵
      PID:6376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:6372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:1256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
      4⤵
      PID:4208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:5620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
      4⤵
      PID:6180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
      4⤵
      PID:6692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
      4⤵
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
      4⤵
      PID:6640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
      4⤵
      PID:6796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
      4⤵
      PID:6824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
      4⤵
      PID:6836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:6844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
      4⤵
      PID:6568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      Clears Windows event logs
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
      4⤵
      PID:6648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
      4⤵
      PID:6252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
      4⤵
      PID:6772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:6976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
      4⤵
      PID:6984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
      4⤵
      PID:6628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
      4⤵
      PID:6452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:6500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
      4⤵
      PID:6360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
      4⤵
      PID:6852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
      4⤵
      PID:1796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
      4⤵
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:6424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:6644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
      4⤵
      PID:1632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
      4⤵
      PID:4896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
      4⤵
      PID:2616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:7072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:7068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:6892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
      4⤵
      PID:6664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
      4⤵
      PID:6788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
      4⤵
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
      4⤵
      PID:6860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
      4⤵
      PID:6896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
      4⤵
      PID:6932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
      4⤵
      PID:3704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
      4⤵
      PID:6940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
      4⤵
      PID:7004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
      4⤵
      PID:7080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
      4⤵
      PID:5684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
      4⤵
      PID:6920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
      4⤵
      PID:6944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
      4⤵
      PID:7028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
      4⤵
      PID:5468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
      4⤵
      PID:6912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:7012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:6740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
      4⤵
      PID:4492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:7160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:5308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
      4⤵
      PID:2156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:5128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:6948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:4780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:4628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
      4⤵
      PID:5364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:5012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:4660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:4564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:4572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      Clears Windows event logs
      PID:3780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:5980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:5028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:5132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:2560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:6052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:4984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:4768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:3204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:5240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:6084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:1100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      Clears Windows event logs
      PID:5968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:1052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:4624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:6104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:1096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:2772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:2536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
      4⤵
      PID:1316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
      4⤵
      PID:1148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
      4⤵
      PID:6000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
      4⤵
      PID:4332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
      4⤵
      PID:748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
      4⤵
      PID:4696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
      4⤵
      PID:2128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:1940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      PID:4036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:5792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:1432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:4724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
      4⤵
      PID:4772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
      4⤵
      PID:2136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
      4⤵
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
      4⤵
      PID:3040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:5488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      Clears Windows event logs
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:5624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:5220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
      4⤵
      PID:812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
      4⤵
      PID:4040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
      4⤵
      PID:3768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
      4⤵
      PID:920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
      4⤵
      PID:468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
      4⤵
      PID:5756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
      4⤵
      PID:2872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
      4⤵
      PID:5004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
      4⤵
      PID:5600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:5836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:4612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
      4⤵
      PID:5420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:5496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
      4⤵
      PID:4392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
      4⤵
      PID:6056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
      4⤵
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:5680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
      4⤵
      PID:3260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:6092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
      4⤵
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
      4⤵
      PID:3528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
      4⤵
      PID:4032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:5196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
      4⤵
      PID:5416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
      4⤵
      PID:5560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:5944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:4776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:4540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:5480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:1920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:4516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:5008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:2484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
      4⤵
      PID:5212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
      4⤵
      PID:2184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
      4⤵
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
      4⤵
      PID:3208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
      4⤵
      PID:6868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
      4⤵
      PID:6516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
      4⤵
      PID:1700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
      4⤵
      PID:4924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
      4⤵
      PID:5060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
      4⤵
      PID:3820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
      4⤵
      PID:3656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
      4⤵
      PID:5256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
      4⤵
      PID:6064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
      4⤵
      PID:3480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
      4⤵
      PID:1428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
      4⤵
      PID:3688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:4664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:5824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      Clears Windows event logs
      PID:6556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:5392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
      4⤵
      PID:2800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
      4⤵
      PID:5728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:5636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      PID:4912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:4400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:5192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:1204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
      4⤵
      PID:5516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:6088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:2516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:6544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:6044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:2588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:3236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
      4⤵
      PID:5352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
      4⤵
      PID:5564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
      4⤵
      PID:4556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:3944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
      4⤵
      PID:1240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
      4⤵
      PID:532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
      4⤵
      PID:1220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
      4⤵
      PID:4972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
      4⤵
      PID:6012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
      4⤵
      PID:284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
      4⤵
      PID:300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
      4⤵
      PID:6100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
      4⤵
      PID:3684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
      4⤵
      PID:6352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
      4⤵
      PID:6256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:5380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      PID:4448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
      4⤵
      PID:6576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
      4⤵
      Clears Windows event logs
      PID:6152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
      4⤵
      PID:6204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
      4⤵
      PID:6800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
      4⤵
      PID:6804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
      4⤵
      PID:6828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
      4⤵
      PID:6840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
      4⤵
      PID:6560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
      4⤵
      PID:7092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
      4⤵
      PID:1200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
      4⤵
      PID:6656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
      4⤵
      PID:6760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
      4⤵
      PID:6972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
      4⤵
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
      4⤵
      PID:6980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:6332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
      4⤵
      PID:6460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
      4⤵
      PID:6440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
      4⤵
      PID:6344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
      4⤵
      PID:6388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
      4⤵
      PID:1048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
      4⤵
      PID:6708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:6436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:6412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:6404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:6744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
      4⤵
      PID:6996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
      4⤵
      PID:5596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:4712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
      4⤵
      PID:3888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
      4⤵
      PID:7056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
      4⤵
      PID:6888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
      4⤵
      PID:6768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:1444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
      4⤵
      PID:4944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:6696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:4700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:6728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:6864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:6900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
      4⤵
      PID:6936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
      4⤵
      PID:5276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
      4⤵
      PID:7060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
      4⤵
      PID:7032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
      4⤵
      Clears Windows event logs
      PID:7120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:5084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:6848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
      4⤵
      PID:7088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
      4⤵
      PID:7096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
      4⤵
      PID:700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
      4⤵
      PID:7024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
      4⤵
      PID:6484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
      4⤵
      PID:6288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:1136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:2320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:3904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:2832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:3068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
      4⤵
      PID:5536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
      4⤵
      PID:1216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
      4⤵
      PID:4468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:2520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:2436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:4552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:3532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      Clears Windows event logs
      PID:4420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:5052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:4936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
      4⤵
      PID:4812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
      4⤵
      PID:724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
      4⤵
      PID:624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
      4⤵
      PID:5568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:5888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:3084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
      4⤵
      PID:1424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
      4⤵
      PID:1384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
      4⤵
      PID:2400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:4632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:5868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
      4⤵
      PID:3440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
      4⤵
      PID:2776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
      4⤵
      PID:6120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
      4⤵
      PID:4888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:3060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
      4⤵
      PID:5812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:2544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:5664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:1932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      Clears Windows event logs
      PID:5788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:2240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
      4⤵
      Clears Windows event logs
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
      4⤵
      PID:3504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
      4⤵
      PID:4876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:1808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:3148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:4364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
      4⤵
      PID:5356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
      4⤵
      PID:2092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
      4⤵
      Clears Windows event logs
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
      4⤵
      PID:2380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
      4⤵
      PID:6132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
      4⤵
      PID:1512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
      4⤵
      PID:2084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
      4⤵
      PID:628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
      4⤵
      PID:5912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
      4⤵
      PID:5632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
      4⤵
      PID:5092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      Clears Windows event logs
      PID:5016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:1848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:4728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:4416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      PID:5312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:3548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
      4⤵
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
      4⤵
      PID:2472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
      4⤵
      PID:3988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
      4⤵
      PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
      4⤵
      PID:5592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:4320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
      4⤵
      PID:3912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
      4⤵
      PID:2912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
      4⤵
      PID:2124
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:3408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
      4⤵
      PID:5080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:2848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:5884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      PID:5648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
      4⤵
      PID:5808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
      4⤵
      PID:516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
      4⤵
      PID:4256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
      4⤵
      PID:2252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
      4⤵
      PID:3156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      PID:5068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
      4⤵
      System Time Discovery
      PID:5528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      PID:1652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
      4⤵
      PID:5796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
      4⤵
      Clears Windows event logs
      PID:6528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
      4⤵
      PID:6508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
      4⤵
      PID:1400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:2108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      PID:3724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
      4⤵
      PID:4524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
      4⤵
      PID:4500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
      4⤵
      PID:5508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
      4⤵
      PID:3976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
      4⤵
      PID:4716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
      4⤵
      PID:5940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:5328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:3252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
      4⤵
      PID:2644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:4192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
      4⤵
      PID:6140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:7052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
      4⤵
      PID:1440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:4528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
      4⤵
      PID:3916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
      4⤵
      Clears Windows event logs
      PID:3144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
      4⤵
      PID:2004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:3680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
      4⤵
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
      4⤵
      PID:832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:2812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
      4⤵
      PID:2016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
      4⤵
      PID:4092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
      4⤵
      Clears Windows event logs
      PID:964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
      4⤵
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
      4⤵
      PID:5628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
      4⤵
      PID:6176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
      4⤵
      PID:5608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
      4⤵
      PID:2368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
      4⤵
      PID:5652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
      4⤵
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
      4⤵
      PID:6136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
      4⤵
      PID:5208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
      4⤵
      PID:5696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
      4⤵
      PID:1408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      PID:292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
      4⤵
      PID:280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      Power Settings
      PID:296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:6380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:6668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
      4⤵
      PID:6372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
      4⤵
      PID:6264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
      4⤵
      PID:6672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      PID:6240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
      4⤵
      PID:6792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:6640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      PID:6804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
      4⤵
      PID:6536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
      4⤵
      PID:7108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:7132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
      4⤵
      PID:5116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:3676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
      4⤵
      PID:6972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:6628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
      4⤵
      PID:6752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
      4⤵
      PID:6388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
      4⤵
      PID:4752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
      4⤵
      PID:1048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
      4⤵
      PID:968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
      4⤵
      PID:6436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
      4⤵
      PID:6412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
      4⤵
      PID:6404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
      4⤵
      PID:6644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
      4⤵
      PID:6764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
      4⤵
      PID:3248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
      4⤵
      PID:1632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
      4⤵
      PID:7072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:7056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:6888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:6768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:1444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
      4⤵
      PID:3848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
      4⤵
      PID:6712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
      4⤵
      PID:6720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
      4⤵
      PID:5732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
      4⤵
      PID:6900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
      4⤵
      PID:6876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
      4⤵
      PID:6904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:5540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      Clears Windows event logs
      PID:7036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      PID:7000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      Clears Windows event logs
      PID:5344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
      4⤵
      PID:7140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      PID:7152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
      4⤵
      PID:6856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:7028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:7156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:7044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:7008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
      4⤵
      PID:6952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      PID:4504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
      4⤵
      PID:7148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
      4⤵
      PID:4960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
      4⤵
      PID:2408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
      4⤵
      PID:5000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
      4⤵
      PID:6956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
      4⤵
      PID:4788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
      4⤵
      PID:5548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      PID:1460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:5364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      PID:3796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
      4⤵
      PID:1956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
      4⤵
      PID:2044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
      4⤵
      PID:5980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
      4⤵
      PID:4656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
      4⤵
      PID:3064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
      4⤵
      Clears Windows event logs
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
      4⤵
      PID:6052
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
      4⤵
      PID:4936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
      4⤵
      PID:724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
      4⤵
      PID:624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
      4⤵
      PID:5568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
      4⤵
      Clears Windows event logs
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
      4⤵
      PID:5888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
      4⤵
      PID:3084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
      4⤵
      PID:1424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
      4⤵
      PID:1384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
      4⤵
      PID:2400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
      4⤵
      PID:4868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
      4⤵
      PID:4632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
      4⤵
      PID:972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
      4⤵
      Clears Windows event logs
      PID:5868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
      4⤵
      PID:4872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
      4⤵
      PID:3440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
      4⤵
      PID:4168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
      4⤵
      PID:1096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
      4⤵
      PID:3816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
      4⤵
      PID:2736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
      4⤵
      PID:1060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
      4⤵
      PID:1628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
      4⤵
      PID:1456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
      4⤵
      PID:6108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
      4⤵
      PID:5428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
      4⤵
      PID:2924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
      4⤵
      PID:5976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:1708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      PID:5172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
      4⤵
      PID:5852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
      4⤵
      PID:4992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
      4⤵
      PID:5268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
      4⤵
      PID:1028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:4336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:4724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
      4⤵
      PID:4772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
      4⤵
      PID:2136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
      4⤵
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
      4⤵
      PID:3040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
      4⤵
      PID:5488
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
      4⤵
      PID:4220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
      4⤵
      PID:5624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
      4⤵
      PID:5220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
      4⤵
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
      4⤵
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
      4⤵
      PID:4040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
      4⤵
      PID:5612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      PID:6504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
      4⤵
      PID:1112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
      4⤵
      Clears Windows event logs
      PID:5876
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
      4⤵
      PID:5576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
      4⤵
      PID:5440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
      4⤵
      PID:1436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
      4⤵
      PID:4940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
      4⤵
      PID:5860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
      4⤵
      PID:5348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
      4⤵
      PID:4820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:1916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:4644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:3772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
      4⤵
      PID:4920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
      4⤵
      PID:1312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
      4⤵
      PID:1076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
      4⤵
      PID:3752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
      4⤵
      PID:2732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
      4⤵
      PID:5992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
      4⤵
      PID:5692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
      4⤵
      PID:5196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      PID:5416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
      4⤵
      PID:5560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:5944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      PID:5984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      PID:4540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
      4⤵
      PID:4476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:5480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      PID:2540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:4516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
      4⤵
      PID:5008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      PID:4832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
      4⤵
      PID:5272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:5212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
      4⤵
      PID:2184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
      4⤵
      PID:6520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
      4⤵
      Clears Windows event logs
      PID:3208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:6868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
      4⤵
      PID:3132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:1700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
      4⤵
      PID:5284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
      4⤵
      PID:5060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:3820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:3656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
      4⤵
      PID:5256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
      4⤵
      PID:6064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
      4⤵
      PID:3480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
      4⤵
      PID:4288
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
      4⤵
      PID:4648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
      4⤵
      PID:6060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
      4⤵
      PID:4048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
      4⤵
      Clears Windows event logs
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
      4⤵
      PID:3712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
      4⤵
      PID:5072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
      4⤵
      PID:2800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
      4⤵
      Clears Windows event logs
      PID:5728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:4520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
      4⤵
      PID:5672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
      4⤵
      PID:5520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
      4⤵
      PID:5088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
      4⤵
      PID:4676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
      4⤵
      PID:2508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
      4⤵
      PID:392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
      4⤵
      PID:5236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
      4⤵
      PID:6284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:4568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
      4⤵
      PID:6176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
      4⤵
      PID:5608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Debug"
      4⤵
      PID:2368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Diagnose"
      4⤵
      PID:5652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Operational"
      4⤵
      Clears Windows event logs
      PID:5432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Analytic"
      4⤵
      PID:6136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Debug"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Diagnose"
      4⤵
      PID:2968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Operational"
      4⤵
      Clears Windows event logs
      PID:4248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Admin"
      4⤵
      PID:4620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Analytic"
      4⤵
      PID:6184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
      4⤵
      PID:284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Diagnose"
      4⤵
      PID:300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Operational"
      4⤵
      PID:6100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Admin"
      4⤵
      PID:3684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
      4⤵
      PID:6352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Debug"
      4⤵
      PID:6264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Diagnose"
      4⤵
      PID:5032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Health"
      4⤵
      PID:6672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Operational"
      4⤵
      PID:6316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering-IoHeat/Heat"
      4⤵
      PID:6820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storage-Tiering/Admin"
      4⤵
      PID:6832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Debug"
      4⤵
      PID:6584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageManagement/Operational"
      4⤵
      PID:6572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
      4⤵
      PID:6844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Diagnostic"
      4⤵
      PID:7112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Operational"
      4⤵
      PID:6960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-Driver/Performance"
      4⤵
      PID:6252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
      4⤵
      PID:4880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Diagnostic"
      4⤵
      PID:6624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorageSpaces-SpaceManager/Operational"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Store/Operational"
      4⤵
      PID:6688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Storsvc/Diagnostic"
      4⤵
      PID:6348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:6360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      PID:6852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
      4⤵
      PID:6480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/PfApLog"
      4⤵
      PID:7084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:6464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
      4⤵
      PID:6396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:6408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-System-Profile-HardwareId/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsHandlers/Debug"
      4⤵
      Clears Windows event logs
      PID:4088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Debug"
      4⤵
      PID:4896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Diagnostic"
      4⤵
      PID:6760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
      4⤵
      PID:1200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:3888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Operational"
      4⤵
      PID:6476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      PID:696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:1524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:6780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      PID:6652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TTS/Diagnostic"
      4⤵
      PID:5380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinAPI/Diagnostic"
      4⤵
      PID:6256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Diagnostic"
      4⤵
      PID:6180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
      4⤵
      PID:6776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Analytic"
      4⤵
      PID:6280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
      4⤵
      PID:5736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
      4⤵
      PID:4700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:6864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      PID:6732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
      4⤵
      PID:6896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      PID:6932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:3704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:6940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:7004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      PID:7080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:5684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:6848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      PID:6944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:7096
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      PID:6912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      Clears Windows event logs
      PID:6992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      PID:6740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      PID:4492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:7160
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
      4⤵
      PID:5308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Analytic"
      4⤵
      PID:2532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Debug"
      4⤵
      PID:5128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Operational"
      4⤵
      PID:6948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:2832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      PID:3180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:4628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      PID:4660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      PID:4468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
      4⤵
      Clears Windows event logs
      PID:2520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
      4⤵
      PID:2436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
      4⤵
      PID:4552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
      4⤵
      PID:5028
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
      4⤵
      Clears Windows event logs
      PID:5132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
      4⤵
      PID:4732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
      4⤵
      PID:5372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Tethering-Station/Analytic"
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
      4⤵
      PID:4984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
      4⤵
      PID:724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Threat-Intelligence/Analytic"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Time-Service-PTP-Provider/PTP-Operational"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Time-Service/Operational"
      4⤵
      PID:4580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Admin"
      4⤵
      PID:2568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
      4⤵
      PID:5240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
      4⤵
      PID:5396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
      4⤵
      PID:1668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
      4⤵
      PID:1100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UI-Shell/Diagnostic"
      4⤵
      PID:5968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
      4⤵
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
      4⤵
      PID:2596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
      4⤵
      PID:5868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
      4⤵
      PID:4624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1244
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-MAUSBHOST-Analytic"
      4⤵
      PID:2776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-UCX-Analytic"
      4⤵
      PID:184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
      4⤵
      PID:1276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB3-Analytic"
      4⤵
      Clears Windows event logs
      PID:4888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
      4⤵
      PID:680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Analytic"
      4⤵
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBXHCI-Trustlet-Analytic"
      4⤵
      PID:1148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UniversalTelemetryClient/Operational"
      4⤵
      Clears Windows event logs
      PID:6000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Usage/Diagnostic"
      4⤵
      PID:5020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Diagnostic"
      4⤵
      PID:5664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel/Operational"
      4⤵
      PID:4340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
      4⤵
      PID:1932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Device Registration/Debug"
      4⤵
      PID:4964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
      4⤵
      PID:2240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
      4⤵
      PID:4280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
      4⤵
      PID:3992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
      4⤵
      PID:1532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
      4⤵
      PID:4900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
      4⤵
      PID:1868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
      4⤵
      PID:2316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
      4⤵
      PID:6020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
      4⤵
      PID:5572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
      4⤵
      PID:1896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
      4⤵
      PID:5768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
      4⤵
      PID:1996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
      4⤵
      PID:3284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
      4⤵
      PID:3544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
      4⤵
      PID:2380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
      4⤵
      PID:1044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
      4⤵
      PID:5260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
      4⤵
      PID:5064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:3764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
      4⤵
      PID:6532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
      4⤵
      PID:628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
      4⤵
      PID:5864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
      4⤵
      PID:5004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
      4⤵
      PID:3080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
      4⤵
      PID:5836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
      4⤵
      PID:6032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
      4⤵
      PID:1848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
      4⤵
      PID:4728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
      4⤵
      PID:1916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
      4⤵
      PID:4644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
      4⤵
      PID:3772
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
      4⤵
      PID:4920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
      4⤵
      PID:1312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
      4⤵
      PID:1076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
      4⤵
      PID:3752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
      4⤵
      PID:2732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
      4⤵
      PID:4032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
      4⤵
      PID:5384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
      4⤵
      PID:5692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
      4⤵
      PID:5196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
      4⤵
      PID:5076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
      4⤵
      PID:5416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
      4⤵
      PID:5560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
      4⤵
      PID:5944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
      4⤵
      PID:5984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
      4⤵
      PID:4540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
      4⤵
      PID:4476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
      4⤵
      PID:5480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
      4⤵
      PID:2540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
      4⤵
      PID:4516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
      4⤵
      PID:5008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
      4⤵
      PID:4832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
      4⤵
      PID:5272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Power Settings

T1653

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Window

T1564.003

Indicator Removal

T1070

Clear Persistence

T1070.009

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\Locales\tr.pak.DATA.rhysida

Filesize
1.1MB

MD5
746be412dd7db8ab8553ba823114a936

SHA1
b1cc98d12e6412804aac6538187b6c9920c88c82

SHA256
5990b98b4d420eee84e57ab1c06005fd97d9b2bd39254b3cfbd74b8a588a2a87

SHA512
e7ff83460331ed648eb71c4b216d1e156854fb128bb6c858e5c07f8a046d0d0f6ab26996bf57d2f27b5cff9f22c88a29eb1f65f6edd38660976c6d01643c2d0b

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\MEIPreload\manifest.json.DATA.rhysida

Filesize
3KB

MD5
0e1a4aae55460c718e500e3bb410130e

SHA1
9f5ea374f468ac0120471c819fff328899937217

SHA256
dde7537c89ca7cf3e6926f544d85d2a436a95ea64a333c9c674b832ec0c1d5b9

SHA512
54c3ca0d9e041981eec59204fde2dd4b49095de22eb1a5a371436aa9f50c4d05090d67dceec23ad3aefbd5c8ccd783c551f278a69953d13d60da875da45cf99f

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\resources.pak.DATA.rhysida

Filesize
26.1MB

MD5
af289056246fa066891bd413b1deca13

SHA1
68f77858098c66cf92d6e5caa6a1d92070e38060

SHA256
ad6befc91813387a3e04d5111dace4b6668614d12a26a0616d6ce89986f55488

SHA512
baa3def0f012dc669ed46c72bf5e97d57a107246d26c7003b889b93f51b9eefcd4a3fb2f013ae6ee28771edc2881784a420199e2a4d4d9e7d3e18a6cc1abd0bb

Download Submit
C:\Program Files\7-Zip\CriticalBreachDetected.pdf

Filesize
36KB

MD5
a073f4595371bb6605f48196adfe25f0

SHA1
f871b6e7ebdfc60622bc5e2252aab954c552339e

SHA256
f02ea603d26edc1ef4f9d8622fdc26255d20c958ca603bdaabd3ae02cdb9492c

SHA512
0442c9e017078cc65db3ff6b05ea0a01ca11e3fe6c722736bc0b8de2636aee51ecdc4fb1b0e0ef54cc72570acded769a2053b039d0541c183bf91dfe8448ee4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hhthpkxb.jxd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2088-7794-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2088-14885-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2088-15009-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2088-15010-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2088-15011-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2088-15014-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5644-15015-0x00000181EDF90000-0x00000181EDFB2000-memory.dmp

Filesize
136KB

Download