5cb223d0a5a81088111c79b03def6e2b5bb20701689fe069cc1e649af6a63f29

Analysis

max time kernel
62s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
01/04/2023, 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win_clean.exe
Size

539KB
MD5

c95eca96375b48080ee4c65ad277b1f4
SHA1

d2f90ceb9ccb67c662d3a7030754179491437cde
SHA256

5cb223d0a5a81088111c79b03def6e2b5bb20701689fe069cc1e649af6a63f29
SHA512

7f9722dbe571f934137eaf649cf961985d8c8c6a34a0746866007ea8656b6ca23ede2c9fb4f589f74c830f933ace59bc3684e9b2e172e90a80735fedeb01b399
SSDEEP

12288:NcrNS33L10QdrX5T+tkDnCuZwFxfYYzwBHZulEEon8g+R:wNA3R5drXzDLmrftzEHZcpon1O

Score

9^/10

evasion ransomware

Malware Config

Signatures

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
956	wevtutil.exe
1352	wevtutil.exe
1416	wevtutil.exe
704	wevtutil.exe
1324	wevtutil.exe
1632	wevtutil.exe
1616	wevtutil.exe
2028	wevtutil.exe
1420	wevtutil.exe
1176	wevtutil.exe
240	wevtutil.exe
1584	wevtutil.exe
1612	wevtutil.exe
632	wevtutil.exe
1152	wevtutil.exe
1976	wevtutil.exe
1584	wevtutil.exe
1172	wevtutil.exe
612	wevtutil.exe
1672	wevtutil.exe
1596	wevtutil.exe
1484	wevtutil.exe
1452	wevtutil.exe
1220	wevtutil.exe
524	wevtutil.exe
1688	wevtutil.exe
2032	wevtutil.exe
676	wevtutil.exe
1524	wevtutil.exe
1820	wevtutil.exe
1496	wevtutil.exe
300	wevtutil.exe
1980	wevtutil.exe
1608	wevtutil.exe
1228	wevtutil.exe
292	wevtutil.exe
1652	wevtutil.exe
316	wevtutil.exe
2028	wevtutil.exe
1420	wevtutil.exe
2012	wevtutil.exe
1220	wevtutil.exe
1416	wevtutil.exe
676	wevtutil.exe
1992	wevtutil.exe
1180	wevtutil.exe
376	wevtutil.exe
1632	wevtutil.exe
1656	wevtutil.exe
1652	wevtutil.exe
1980	wevtutil.exe
1608	wevtutil.exe
1436	wevtutil.exe
836	wevtutil.exe
2032	wevtutil.exe
1832	wevtutil.exe
1832	wevtutil.exe
292	wevtutil.exe
1880	wevtutil.exe
2040	wevtutil.exe
1832	wevtutil.exe
1876	wevtutil.exe
884	wevtutil.exe
1824	wevtutil.exe

Executes dropped EXE 3 IoCs

pid	Process
836	EventCleaner.exe
396	phant0mx64.exe
1904	FileWiper.exe

Loads dropped DLL 4 IoCs

pid	Process
1552	cmd.exe
1552	cmd.exe
1552	cmd.exe
760	Process not Found

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\winevt\logs\security.evtx	EventCleaner.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1900	timeout.exe
1836	timeout.exe
1332	timeout.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
836	EventCleaner.exe
836	EventCleaner.exe
396	phant0mx64.exe
1992	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	836	EventCleaner.exe
Token: SeDebugPrivilege	396	phant0mx64.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeSecurityPrivilege	524	wevtutil.exe
Token: SeBackupPrivilege	524	wevtutil.exe
Token: SeSecurityPrivilege	768	wevtutil.exe
Token: SeBackupPrivilege	768	wevtutil.exe
Token: SeSecurityPrivilege	640	wevtutil.exe
Token: SeBackupPrivilege	640	wevtutil.exe
Token: SeSecurityPrivilege	1416	wevtutil.exe
Token: SeBackupPrivilege	1416	wevtutil.exe
Token: SeSecurityPrivilege	1484	wevtutil.exe
Token: SeBackupPrivilege	1484	wevtutil.exe
Token: SeSecurityPrivilege	292	wevtutil.exe
Token: SeBackupPrivilege	292	wevtutil.exe
Token: SeSecurityPrivilege	1584	wevtutil.exe
Token: SeBackupPrivilege	1584	wevtutil.exe
Token: SeSecurityPrivilege	1008	wevtutil.exe
Token: SeBackupPrivilege	1008	wevtutil.exe
Token: SeSecurityPrivilege	1832	wevtutil.exe
Token: SeBackupPrivilege	1832	wevtutil.exe
Token: SeSecurityPrivilege	1600	wevtutil.exe
Token: SeBackupPrivilege	1600	wevtutil.exe
Token: SeSecurityPrivilege	1732	wevtutil.exe
Token: SeBackupPrivilege	1732	wevtutil.exe
Token: SeSecurityPrivilege	1568	wevtutil.exe
Token: SeBackupPrivilege	1568	wevtutil.exe
Token: SeSecurityPrivilege	1172	wevtutil.exe
Token: SeBackupPrivilege	1172	wevtutil.exe
Token: SeSecurityPrivilege	112	wevtutil.exe
Token: SeBackupPrivilege	112	wevtutil.exe
Token: SeSecurityPrivilege	436	wevtutil.exe
Token: SeBackupPrivilege	436	wevtutil.exe
Token: SeSecurityPrivilege	704	wevtutil.exe
Token: SeBackupPrivilege	704	wevtutil.exe
Token: SeSecurityPrivilege	1536	wevtutil.exe
Token: SeBackupPrivilege	1536	wevtutil.exe
Token: SeSecurityPrivilege	564	wevtutil.exe
Token: SeBackupPrivilege	564	wevtutil.exe
Token: SeSecurityPrivilege	1908	wevtutil.exe
Token: SeBackupPrivilege	1908	wevtutil.exe
Token: SeSecurityPrivilege	836	wevtutil.exe
Token: SeBackupPrivilege	836	wevtutil.exe
Token: SeSecurityPrivilege	1436	wevtutil.exe
Token: SeBackupPrivilege	1436	wevtutil.exe
Token: SeSecurityPrivilege	1444	wevtutil.exe
Token: SeBackupPrivilege	1444	wevtutil.exe
Token: SeSecurityPrivilege	1688	wevtutil.exe
Token: SeBackupPrivilege	1688	wevtutil.exe
Token: SeSecurityPrivilege	1064	wevtutil.exe
Token: SeBackupPrivilege	1064	wevtutil.exe
Token: SeSecurityPrivilege	884	wevtutil.exe
Token: SeBackupPrivilege	884	wevtutil.exe
Token: SeSecurityPrivilege	1276	wevtutil.exe
Token: SeBackupPrivilege	1276	wevtutil.exe
Token: SeSecurityPrivilege	396	wevtutil.exe
Token: SeBackupPrivilege	396	wevtutil.exe
Token: SeSecurityPrivilege	1508	wevtutil.exe
Token: SeBackupPrivilege	1508	wevtutil.exe
Token: SeSecurityPrivilege	1068	wevtutil.exe
Token: SeBackupPrivilege	1068	wevtutil.exe
Token: SeSecurityPrivilege	1488	wevtutil.exe
Token: SeBackupPrivilege	1488	wevtutil.exe
Token: SeSecurityPrivilege	2028	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1552	1208	win_clean.exe	28
PID 1208 wrote to memory of 1552	1208	win_clean.exe	28
PID 1208 wrote to memory of 1552	1208	win_clean.exe	28
PID 1208 wrote to memory of 1552	1208	win_clean.exe	28
PID 1552 wrote to memory of 836	1552	cmd.exe	30
PID 1552 wrote to memory of 836	1552	cmd.exe	30
PID 1552 wrote to memory of 836	1552	cmd.exe	30
PID 1552 wrote to memory of 836	1552	cmd.exe	30
PID 1552 wrote to memory of 1720	1552	cmd.exe	31
PID 1552 wrote to memory of 1720	1552	cmd.exe	31
PID 1552 wrote to memory of 1720	1552	cmd.exe	31
PID 1552 wrote to memory of 1720	1552	cmd.exe	31
PID 1552 wrote to memory of 840	1552	cmd.exe	33
PID 1552 wrote to memory of 840	1552	cmd.exe	33
PID 1552 wrote to memory of 840	1552	cmd.exe	33
PID 1552 wrote to memory of 840	1552	cmd.exe	33
PID 1552 wrote to memory of 1076	1552	cmd.exe	35
PID 1552 wrote to memory of 1076	1552	cmd.exe	35
PID 1552 wrote to memory of 1076	1552	cmd.exe	35
PID 1552 wrote to memory of 1076	1552	cmd.exe	35
PID 1552 wrote to memory of 396	1552	cmd.exe	37
PID 1552 wrote to memory of 396	1552	cmd.exe	37
PID 1552 wrote to memory of 396	1552	cmd.exe	37
PID 1552 wrote to memory of 396	1552	cmd.exe	37
PID 1552 wrote to memory of 1992	1552	cmd.exe	40
PID 1552 wrote to memory of 1992	1552	cmd.exe	40
PID 1552 wrote to memory of 1992	1552	cmd.exe	40
PID 1552 wrote to memory of 1992	1552	cmd.exe	40
PID 1720 wrote to memory of 316	1720	cmd.exe	38
PID 1720 wrote to memory of 316	1720	cmd.exe	38
PID 1720 wrote to memory of 316	1720	cmd.exe	38
PID 1720 wrote to memory of 316	1720	cmd.exe	38
PID 1552 wrote to memory of 1904	1552	cmd.exe	46
PID 1552 wrote to memory of 1904	1552	cmd.exe	46
PID 1552 wrote to memory of 1904	1552	cmd.exe	46
PID 1552 wrote to memory of 1904	1552	cmd.exe	46
PID 1076 wrote to memory of 884	1076	cmd.exe	41
PID 1076 wrote to memory of 884	1076	cmd.exe	41
PID 1076 wrote to memory of 884	1076	cmd.exe	41
PID 1076 wrote to memory of 884	1076	cmd.exe	41
PID 1552 wrote to memory of 1332	1552	cmd.exe	45
PID 1552 wrote to memory of 1332	1552	cmd.exe	45
PID 1552 wrote to memory of 1332	1552	cmd.exe	45
PID 1552 wrote to memory of 1332	1552	cmd.exe	45
PID 840 wrote to memory of 1836	840	cmd.exe	43
PID 840 wrote to memory of 1836	840	cmd.exe	43
PID 840 wrote to memory of 1836	840	cmd.exe	43
PID 840 wrote to memory of 1836	840	cmd.exe	43
PID 1720 wrote to memory of 1276	1720	cmd.exe	42
PID 1720 wrote to memory of 1276	1720	cmd.exe	42
PID 1720 wrote to memory of 1276	1720	cmd.exe	42
PID 1720 wrote to memory of 1276	1720	cmd.exe	42
PID 1720 wrote to memory of 1220	1720	cmd.exe	47
PID 1720 wrote to memory of 1220	1720	cmd.exe	47
PID 1720 wrote to memory of 1220	1720	cmd.exe	47
PID 1720 wrote to memory of 1220	1720	cmd.exe	47
PID 1720 wrote to memory of 2032	1720	cmd.exe	48
PID 1720 wrote to memory of 2032	1720	cmd.exe	48
PID 1720 wrote to memory of 2032	1720	cmd.exe	48
PID 1720 wrote to memory of 2032	1720	cmd.exe	48
PID 840 wrote to memory of 1176	840	cmd.exe	49
PID 840 wrote to memory of 1176	840	cmd.exe	49
PID 840 wrote to memory of 1176	840	cmd.exe	49
PID 840 wrote to memory of 1176	840	cmd.exe	49

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\win_clean.exe
"C:\Users\Admin\AppData\Local\Temp\win_clean.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\x.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\EventCleaner.exe
    EventCleaner.exe closehandle
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K rdp.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" /va /f
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers" /f
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\attrib.exe
      attrib Default.rdp -s -h
      4⤵
      Views/modifies file attributes
      PID:2032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K logkiller.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      PID:1176
    - - C:\Windows\SysWOW64\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1568
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Media Center"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:112
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1536
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1908
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1444
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:884
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1276
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1508
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1068
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:1744
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
      4⤵
      Clears Windows event logs
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:1836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      Clears Windows event logs
      PID:1324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:1384
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:1012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:1640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:1604
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:1152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      Clears Windows event logs
      PID:1652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      Clears Windows event logs
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      Clears Windows event logs
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      Clears Windows event logs
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:1008
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      Clears Windows event logs
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:1508
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:2032
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      Clears Windows event logs
      PID:2028
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:1236
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:2036
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:1664
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      Clears Windows event logs
      PID:1656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:268
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:768
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      Clears Windows event logs
      PID:1496
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
      4⤵
      PID:1324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:592
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1616
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:1428
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      Clears Windows event logs
      PID:1524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      Clears Windows event logs
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      Clears Windows event logs
      PID:1152
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
      4⤵
      Clears Windows event logs
      PID:300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      Clears Windows event logs
      PID:1652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:544
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
      4⤵
      Clears Windows event logs
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      Clears Windows event logs
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      Clears Windows event logs
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      Clears Windows event logs
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
      4⤵
      Clears Windows event logs
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      Clears Windows event logs
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      Clears Windows event logs
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      Clears Windows event logs
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      Clears Windows event logs
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International/Operational"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      Clears Windows event logs
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      Clears Windows event logs
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      Clears Windows event logs
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      Clears Windows event logs
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      Clears Windows event logs
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      Clears Windows event logs
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      Clears Windows event logs
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      Clears Windows event logs
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      Clears Windows event logs
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      Clears Windows event logs
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
      4⤵
      Clears Windows event logs
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      Clears Windows event logs
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      Clears Windows event logs
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
      4⤵
      Clears Windows event logs
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:1412
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:1416
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      Clears Windows event logs
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
      4⤵
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
      4⤵
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      Clears Windows event logs
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      Clears Windows event logs
      PID:1176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      PID:300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      Clears Windows event logs
      PID:316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      Clears Windows event logs
      PID:2032
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      Clears Windows event logs
      PID:2028
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
      4⤵
      PID:696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
      4⤵
      PID:2012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
      4⤵
      PID:240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
      4⤵
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
      4⤵
      Clears Windows event logs
      PID:1832
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
      4⤵
      PID:1328
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
      4⤵
      PID:1612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
      4⤵
      PID:1632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
      4⤵
      PID:632
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1688
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
      4⤵
      PID:836
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
      4⤵
      PID:1672
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
      4⤵
      Clears Windows event logs
      PID:1352
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
      4⤵
      PID:1452
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
      4⤵
      PID:1556
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
      4⤵
      PID:760
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
      4⤵
      PID:1220
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
      4⤵
      PID:1820
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1420
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
      4⤵
      PID:376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
      4⤵
      PID:1780
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
      4⤵
      PID:1980
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
      4⤵
      PID:700
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
      4⤵
      PID:1228
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
      4⤵
      PID:524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
      4⤵
      PID:900
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
      4⤵
      PID:1636
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
      4⤵
      PID:1588
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:956
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
      4⤵
      PID:1176
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
      4⤵
      PID:1732
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
      4⤵
      PID:1524
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
      4⤵
      PID:1824
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
      4⤵
      PID:848
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
      4⤵
      PID:324
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
      4⤵
      PID:1536
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
      4⤵
      PID:1972
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
      4⤵
      PID:612
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
      4⤵
      PID:300
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
      4⤵
      PID:1652
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
      4⤵
      Clears Windows event logs
      PID:1876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
      4⤵
      PID:828
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
      4⤵
      PID:396
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
      4⤵
      PID:1748
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
      4⤵
      PID:1104
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
      4⤵
      Clears Windows event logs
      PID:2032
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
      4⤵
      PID:1052
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
      4⤵
      PID:1280
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
      4⤵
      PID:696
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
      4⤵
      Clears Windows event logs
      PID:2012
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
      4⤵
      Clears Windows event logs
      PID:240
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
      4⤵
      PID:1656
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1180
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
      4⤵
      PID:1936
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
      4⤵
      PID:572
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
      4⤵
      PID:1376
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
      4⤵
      PID:640
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
      4⤵
      PID:1380
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
      4⤵
      PID:876
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
      4⤵
      PID:1620
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
      4⤵
      PID:932
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
      4⤵
      PID:868
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
      4⤵
      PID:1596
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ntshrui"
      4⤵
      PID:292
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
      4⤵
      PID:1740
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
      4⤵
      PID:1608
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "OAlerts"
      4⤵
      Clears Windows event logs
      PID:1172
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Security"
      4⤵
      PID:1600
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Setup"
      4⤵
      PID:436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "System"
      4⤵
      Clears Windows event logs
      PID:704
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "TabletPC_InputPanel_Channel"
      4⤵
      PID:2016
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
      4⤵
      PID:564
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
      4⤵
      PID:1072
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "WMPSetup"
      4⤵
      Clears Windows event logs
      PID:1436
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "WMPSyncEngine"
      4⤵
      PID:1444
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "Windows PowerShell"
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
      4⤵
      PID:884
  - - C:\Windows\SysWOW64\wevtutil.exe
      wevtutil.exe cl "muxencode"
      4⤵
      PID:1276
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K putty.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKEY_CURRENT_USER\Software\SimonTatham\PuTTY" /f
      4⤵
      PID:884
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe
    phant0mx64.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell .\rdp_reg_clear.ps1
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\SysWOW64\timeout.exe
    timeout 45
    3⤵
    - Delays execution with timeout.exe
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe
    FileWiper.exe
    3⤵
    - Executes dropped EXE
    PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K extra.bat
    3⤵
    PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\EventCleaner.exe

Filesize
302KB

MD5
694f6268d897b513c82faae3f260d893

SHA1
62824d85ea5e6d79386712e5ecf35aaf7868ecfa

SHA256
cb40e9c51f53066c2241e6abd5f642ce7d02ba577b2b693c48a0c47a4cfa8d96

SHA512
79200c4b566bf6891a5e352afec439f339ec075059a2210571357460f4b068ef70a09b7765032f8deedda1103febc3d0f45345984d0f9d3bfea16fd4aa07df70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe

Filesize
13KB

MD5
73b54e36c9eaf4108be0ea9149f92ae8

SHA1
2d359742c4aaef7d3a9ea95d3d18a16d063f46a1

SHA256
bc86839ffece0217c274d10235a77e8d87aaee2a81e0ed62d2c8b3f53df053df

SHA512
dcddd98091d5a6d089f90979c7fc2bbe2d87c69628a5de1e07ceef7e33e038554ffd2884f0e891d60cb12aae8502770c7a648edf3bdb80f475668bc8207a9afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe

Filesize
13KB

MD5
73b54e36c9eaf4108be0ea9149f92ae8

SHA1
2d359742c4aaef7d3a9ea95d3d18a16d063f46a1

SHA256
bc86839ffece0217c274d10235a77e8d87aaee2a81e0ed62d2c8b3f53df053df

SHA512
dcddd98091d5a6d089f90979c7fc2bbe2d87c69628a5de1e07ceef7e33e038554ffd2884f0e891d60cb12aae8502770c7a648edf3bdb80f475668bc8207a9afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\extra.bat

Filesize
334B

MD5
0108b8594448301a3219b355c868cdbd

SHA1
bd4afb88dcd973bdd63990b91297acc2da476f89

SHA256
12e04ca28b0275ddf3dd4f165139e85e948a03c12871fe65df034edd561c52d8

SHA512
9961369e9c2e2fbd1f1a89d1211a74796482b9c0039033b2e72462e970876d39bd4db913adc7b297177c16bf3d37e73494068bb2af43d14222d8d44c4923a34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\logkiller.bat

Filesize
436B

MD5
d8cc45473b9d3f703f17cc838395c698

SHA1
47b5adffeae34e0b934364a1e74eef241774353c

SHA256
65f82ffb119de3b2ebac2bacbfe8c8667091b884a7553467d03df281b6d1fca5

SHA512
80b04979880873ef2dcc2fc6d7d0ff4241e1e4d40c9ef1e433acccc8f9ede04666eb9b7f05171aab86acaf6e1c181349c85789f9942c25d7a8004cf4bdafcf23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe

Filesize
125KB

MD5
174cf19b28154708db2ce660a9ba4cc6

SHA1
8945b29b6d6b171fe7dec5bc0a99e21f06801f3a

SHA256
c2efee00eb1323b0189e98713e13698ef573a420e448496584defed46d8255e4

SHA512
b1e74a9f3cce7dcf9912af1875564945c444d04ec01b6024aec6fb1f0e79ad9d08a6c255c0fe9638f01090578c7411af950cbbeeb1cf8bf3b94a32a5503c66c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\putty.bat

Filesize
60B

MD5
ca2791c7a8961e4f88e72c4ad78db80a

SHA1
35f26129e533b1af4b4b69e31b51ef43a72b21a8

SHA256
dc76c8e1a94260d0143efe3b537d4296776d9b6e3daad4dbc6d4e994891b481f

SHA512
53be91e8f8c890d8c6cf60d1f39475a0c79755b8250832d625e6755d0f8633aca2fbdfb5ff507c88995ee8d5407a8d8691e8b23b704bb4053b18198716673c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rdp.bat

Filesize
334B

MD5
7683eda9b2f40a6a7cb60cba03150b1e

SHA1
85930febb9f762b40e95b8cf70a8b237471515b7

SHA256
b884404ed849e707b415559240cfcd550c717301f0e0f2b8e2111ba9144d9f42

SHA512
c72e0c960872e4ff88d57e2289eb18773469789a890ac0cd3759874a7b99e807ff5396fd9bccb225729ed262ba66412e689777fc0e7fc0adbb770c0355527ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rdp_reg_clear.ps1

Filesize
726B

MD5
6569b2bab916886b6a324463328c2990

SHA1
61710d034bead7d3f0f6ac6cd1541b63ceca9ec0

SHA256
ff445e24d3e85ac237e8eb8f6b4c92afb3a99d1caa9a127115a8f974a94bf843

SHA512
4f7e3f4b4f17c19aae51d3ee8a8939f7c6ff78519039c7ca6f9c06a8071fc786098fcffe61f70b2a17a4b4032c5098edc45016fae71535a354854e2730dd1101

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x.bat

Filesize
353B

MD5
cdbd558bbfcb4dc28fbff2ae78b7cf83

SHA1
f153ee902a5d4a10b7e7084584ef543b2a8e6a79

SHA256
1532958707f32b50577a32c9b6151330c6f72967d27f293216ffef3ed7f28c9f

SHA512
e88fb13f5bf515393f9adf34980245019fc7a04b770e8dc481a7c3062e049b0d9b0098aa666ccaa08c1f1939ee22f2d5844ae3caefea5630bf779e601c0461ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\x.bat

Filesize
353B

MD5
cdbd558bbfcb4dc28fbff2ae78b7cf83

SHA1
f153ee902a5d4a10b7e7084584ef543b2a8e6a79

SHA256
1532958707f32b50577a32c9b6151330c6f72967d27f293216ffef3ed7f28c9f

SHA512
e88fb13f5bf515393f9adf34980245019fc7a04b770e8dc481a7c3062e049b0d9b0098aa666ccaa08c1f1939ee22f2d5844ae3caefea5630bf779e601c0461ea

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\EventCleaner.exe

Filesize
302KB

MD5
694f6268d897b513c82faae3f260d893

SHA1
62824d85ea5e6d79386712e5ecf35aaf7868ecfa

SHA256
cb40e9c51f53066c2241e6abd5f642ce7d02ba577b2b693c48a0c47a4cfa8d96

SHA512
79200c4b566bf6891a5e352afec439f339ec075059a2210571357460f4b068ef70a09b7765032f8deedda1103febc3d0f45345984d0f9d3bfea16fd4aa07df70

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\FileWiper.exe

Filesize
13KB

MD5
73b54e36c9eaf4108be0ea9149f92ae8

SHA1
2d359742c4aaef7d3a9ea95d3d18a16d063f46a1

SHA256
bc86839ffece0217c274d10235a77e8d87aaee2a81e0ed62d2c8b3f53df053df

SHA512
dcddd98091d5a6d089f90979c7fc2bbe2d87c69628a5de1e07ceef7e33e038554ffd2884f0e891d60cb12aae8502770c7a648edf3bdb80f475668bc8207a9afc

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe

Filesize
125KB

MD5
174cf19b28154708db2ce660a9ba4cc6

SHA1
8945b29b6d6b171fe7dec5bc0a99e21f06801f3a

SHA256
c2efee00eb1323b0189e98713e13698ef573a420e448496584defed46d8255e4

SHA512
b1e74a9f3cce7dcf9912af1875564945c444d04ec01b6024aec6fb1f0e79ad9d08a6c255c0fe9638f01090578c7411af950cbbeeb1cf8bf3b94a32a5503c66c3

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\phant0mx64.exe

Filesize
125KB

MD5
174cf19b28154708db2ce660a9ba4cc6

SHA1
8945b29b6d6b171fe7dec5bc0a99e21f06801f3a

SHA256
c2efee00eb1323b0189e98713e13698ef573a420e448496584defed46d8255e4

SHA512
b1e74a9f3cce7dcf9912af1875564945c444d04ec01b6024aec6fb1f0e79ad9d08a6c255c0fe9638f01090578c7411af950cbbeeb1cf8bf3b94a32a5503c66c3

Download Submit
memory/1904-101-0x0000000000180000-0x000000000018A000-memory.dmp

Filesize
40KB

Download
memory/1904-105-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1904-107-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/1992-104-0x0000000002740000-0x0000000002780000-memory.dmp

Filesize
256KB

Download