Malware Analysis Report

2025-03-15 00:55

Sample ID 240626-pvlldavcrb
Target 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f
SHA256 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f
Tags
defense_evasion evasion execution impact persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f

Threat Level: Known bad

The file 9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion execution impact persistence ransomware

Clears Windows event logs

Deletes shadow copies

Deletes itself

Drops desktop.ini file(s)

Power Settings

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Runs net.exe

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 12:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 12:39

Reported

2024-06-26 12:44

Platform

win7-20240419-en

Max time kernel

206s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe"

Signatures

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\c:\program files\microsoft games\solitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\videos\sample videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\purble place\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\1033\dataservices\DESKTOP.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\favorites\links\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\saved games\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\music\sample music\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\recorded tv\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\f:\$recycle.bin\s-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\freecell\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\hearts\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\mahjong\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\music\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\chess\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\pictures\sample pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\public\recorded tv\sample media\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\$recycle.bin\s-1-5-21-481678230-3773327859-3495911762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\spidersolitaire\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\users\admin\favorites\links for united states\desktop.ini C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A

Power Settings

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\program files (x86)\microsoft office\office14\1033\ONENOTE_COL.hxt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\pubwiz\WSIDBR98.poc C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\Ashgabat C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jre7\lib\zi\america\Dawson C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File created \??\c:\program files\java\jre7\lib\zi\australia\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\NA02124_.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\OUTLFLTR.dat C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\ink\es-es\InkWatson.exe.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\indian\Mauritius C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\microsoft games\minesweeper\fr-fr\Minesweeper.exe.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\windows nt\tabletextservice\fr-fr\TableTextService.dll.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\grphflt\JPEGIM32.flt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\videolan\vlc\locale\uz\lc_messages\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\dvd maker\shared\dvdstyles\babyboy\BabyBoyScenesBackground.wmv C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\dvd maker\shared\dvdstyles\full\full.png C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\config\modules\org-openide-options.xml_hidden C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\AG00126_.gif C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\BD19986_.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0217302.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\convert\OLMAIL.fae C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\pagesize\PGLBL002.xml C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\common files\microsoft shared\ink\hr-hr\tipresx.dll.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\africa\Tripoli C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\proof\MSTH7FR.lex C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\BS00186_.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0086428.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\SO00159_.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\7-zip\lang\et.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\videolan\vlc\locale\de\lc_messages\vlc.mo C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\common files\system\fr-fr\wab32res.dll.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\media\cagcat10\J0233018.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\media\office14\bullets\BD14752_.gif C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-loaders_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\weather.gadget\ja-jp\gadget.xml C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\about.html C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0145904.jpg C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\SO02228_.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\media\cagcat10\J0149887.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove\sounds\places\LASER.wav C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\de-de\css\picturePuzzle.css C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\dvd maker\shared\dvdstyles\performance\Notes_loop.wmv C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\jre\lib\zi\WET C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File created \??\c:\program files (x86)\common files\microsoft shared\themes14\sky\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\J0086424.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\bg_LightSpirit.gif C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\themes14\edge\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\7-zip\lang\br.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\ink\es-es\rtscom.dll.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\slideshow.gadget\images\in_sidebar\bg_sidebar.png C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\common files\microsoft shared\ink\de-de\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\templates\1033\LoanAmortization.xltx C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File created \??\c:\program files\videolan\vlc\locale\ff\lc_messages\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\common files\system\msadc\es-es\msadcor.dll.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\groove\tooldata\groove.net\grooveforms3\formsstyles\Americana.css C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\images\next_down.png C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File created \??\c:\program files\microsoft games\spidersolitaire\en-us\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\dvd maker\fr-fr\DVDMaker.exe.mui C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files\windows sidebar\gadgets\slideshow.gadget\images\pause_down.png C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\clipart\pub60cor\DD01761_.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\media\cagcat10\J0251871.wmf C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft office\office14\pubwiz\NAVBARV.poc C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A
File created \??\c:\program files\microsoft games\purble place\it-it\!!readme!!!.txt C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\vssadmin.exe N/A
N/A N/A C:\Windows\System32\vssadmin.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\System32\reg.exe N/A
N/A N/A C:\Windows\System32\reg.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\vssadmin.exe
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\vssadmin.exe
PID 2100 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\vssadmin.exe
PID 2100 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\reg.exe
PID 2100 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\reg.exe
PID 2100 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\reg.exe
PID 2100 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\net.exe
PID 2100 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\net.exe
PID 2100 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\net.exe
PID 760 wrote to memory of 2444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 760 wrote to memory of 2444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 760 wrote to memory of 2444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2100 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\vssadmin.exe
PID 2100 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\vssadmin.exe
PID 2100 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\vssadmin.exe
PID 2100 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\reg.exe
PID 2100 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\reg.exe
PID 2100 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\reg.exe
PID 2100 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\net.exe
PID 2100 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\net.exe
PID 2100 wrote to memory of 664 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\System32\net.exe
PID 664 wrote to memory of 1648 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 664 wrote to memory of 1648 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 664 wrote to memory of 1648 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2100 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\system32\cmd.exe
PID 2100 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\system32\cmd.exe
PID 2100 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2744 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3004 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3004 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 3004 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe
PID 2744 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wevtutil.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe

"C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe"

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /f /m

C:\Windows\System32\vssadmin.exe

"C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet

C:\Windows\System32\reg.exe

"C:\Windows\System32\reg.exe" add HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services / v MaxDisconnectionTime / t REG_DWORD / d 1209600000 / f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop MSSQLSERVER /f /m

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop MSSQLSERVER /f /m

C:\Windows\system32\cmd.exe

cmd /c temp.cmd C:\Users\Admin\AppData\Local\Temp\9f702b94a86558df87de316611d9f1bfe99a6d8da9fa9b3d7bb125a12f9ad11f.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "muxencode"

Network

N/A

Files

C:\Program Files\7-Zip\!!readme!!!.txt

MD5 40921dea838c88bcc9e6f0394326e6e9
SHA1 95343a9d3b57aa8cbf916be4125a48e67ba8191c
SHA256 b5e53823637f8548f006185ca684b4072b2c0d4360b4617c92e4fb39c222f877
SHA512 8e7164bca747756084b1b40400a87592fdeb8883bd568939c2f10b617e98a4c7f6fe390b0a24b2f5f723a8728ef177214811ca7bcbfa4a9f091719e8ca803898

C:\Users\Admin\AppData\Local\Temp\temp.cmd

MD5 d81eac651a27977bd85805ff21a4bb7e
SHA1 78941577c618fd03df79d9e0921bb9a5e5063892
SHA256 442c16903c74297f029c964e9c78302816d3e9b9a1562ea8fd3d652790db3a5e
SHA512 b50bc5044cd6fa3a02fa2a34c63a6ed1da4c43df6a496fc92b99c9cd896b5d04dc2af57a66f248a328c0027f767af9f36048a640c027744c47389a6cbba1c88d