a1ec0e24579de82840b019831252d73784f4ea5c4c16461103176bcc40cc1376

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	powershell.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 17 IoCs

defense_evasion trojan

Modify Registry

Windows Service

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	powershell.exe

UAC bypass 3 TTPs 8 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

defense_evasion ransomware

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe

Clears Windows event logs 1 TTPs 64 IoCs

Clear Windows Event Logs

T1070.001

pid	Process
6116	Process not Found
7100	Process not Found
7100	Process not Found
7124	Process not Found
6272	Process not Found
6540	Process not Found
7432	Process not Found
7576	Process not Found
4716	Process not Found
2740	wevtutil.exe
6956	Process not Found
6340	Process not Found
6344	Process not Found
6692	Process not Found
6812	Process not Found
6676	Process not Found
6592	Process not Found
3320	wevtutil.exe
6780	Process not Found
3580	Process not Found
7028	Process not Found
5008	Process not Found
6568	Process not Found
4664	Process not Found
6664	Process not Found
220	wevtutil.exe
5460	Process not Found
6932	Process not Found
7124	Process not Found
6772	Process not Found
7612	Process not Found
7672	Process not Found
7488	Process not Found
4996	Process not Found
6804	Process not Found
7028	Process not Found
6780	Process not Found
6316	Process not Found
6320	Process not Found
5336	wevtutil.exe
3400	Process not Found
4688	Process not Found
1612	Process not Found
6840	Process not Found
7096	Process not Found
5296	Process not Found
4560	Process not Found
4544	Process not Found
924	Process not Found
668	Process not Found
6824	Process not Found
7704	Process not Found
7656	Process not Found
4664	wevtutil.exe
2968	wevtutil.exe
4572	wevtutil.exe
392	Process not Found
2344	Process not Found
2344	Process not Found
4748	Process not Found
8084	Process not Found
6168	Process not Found
5928	Process not Found
8004	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
5536	powershell.exe
3936	powershell.exe
1316	powershell.exe
3152	Process not Found
3156	Process not Found
6920	Process not Found
4412	Process not Found
5176	powershell.exe
1888	Process not Found
6504	Process not Found
7932	Process not Found
4900	powershell.exe
7012	Process not Found
6172	Process not Found
5960	powershell.exe
1652	powershell.exe
5320	powershell.exe
664	powershell.exe
2188	powershell.exe
3456	Process not Found
7052	Process not Found
7540	Process not Found
3636	powershell.exe

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate137 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Verdacrypt-Z.ps1\" -HiddenRun"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate547 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Verdacrypt-Z.ps1\" -HiddenRun"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate768 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Verdacrypt-Z.ps1\" -HiddenRun"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate173 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Verdacrypt-Z.ps1\" -HiddenRun"	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate654 = "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Verdacrypt-Z.ps1\" -HiddenRun"	powershell.exe

Hide Artifacts: Hidden Window 1 TTPs 22 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
6608	Process not Found
2748	cmd.exe
6612	Process not Found
1156	Process not Found
7376	Process not Found
8016	Process not Found
1480	cmd.exe
3512	cmd.exe
1204	cmd.exe
3168	cmd.exe
5440	cmd.exe
112	Process not Found
2336	Process not Found
6544	Process not Found
1492	cmd.exe
5168	Process not Found
5656	Process not Found
6224	Process not Found
6412	Process not Found
6124	cmd.exe
5444	cmd.exe
4028	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
3636	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe
5536	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	powershell.exe
Token: SeSecurityPrivilege	3636	powershell.exe
Token: SeTakeOwnershipPrivilege	3636	powershell.exe
Token: SeLoadDriverPrivilege	3636	powershell.exe
Token: SeSystemProfilePrivilege	3636	powershell.exe
Token: SeSystemtimePrivilege	3636	powershell.exe
Token: SeProfSingleProcessPrivilege	3636	powershell.exe
Token: SeIncBasePriorityPrivilege	3636	powershell.exe
Token: SeCreatePagefilePrivilege	3636	powershell.exe
Token: SeBackupPrivilege	3636	powershell.exe
Token: SeRestorePrivilege	3636	powershell.exe
Token: SeShutdownPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeSystemEnvironmentPrivilege	3636	powershell.exe
Token: SeRemoteShutdownPrivilege	3636	powershell.exe
Token: SeUndockPrivilege	3636	powershell.exe
Token: SeManageVolumePrivilege	3636	powershell.exe
Token: 33	3636	powershell.exe
Token: 34	3636	powershell.exe
Token: 35	3636	powershell.exe
Token: 36	3636	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	powershell.exe
Token: SeSecurityPrivilege	3636	powershell.exe
Token: SeTakeOwnershipPrivilege	3636	powershell.exe
Token: SeLoadDriverPrivilege	3636	powershell.exe
Token: SeSystemProfilePrivilege	3636	powershell.exe
Token: SeSystemtimePrivilege	3636	powershell.exe
Token: SeProfSingleProcessPrivilege	3636	powershell.exe
Token: SeIncBasePriorityPrivilege	3636	powershell.exe
Token: SeCreatePagefilePrivilege	3636	powershell.exe
Token: SeBackupPrivilege	3636	powershell.exe
Token: SeRestorePrivilege	3636	powershell.exe
Token: SeShutdownPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeSystemEnvironmentPrivilege	3636	powershell.exe
Token: SeRemoteShutdownPrivilege	3636	powershell.exe
Token: SeUndockPrivilege	3636	powershell.exe
Token: SeManageVolumePrivilege	3636	powershell.exe
Token: 33	3636	powershell.exe
Token: 34	3636	powershell.exe
Token: 35	3636	powershell.exe
Token: 36	3636	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeIncreaseQuotaPrivilege	3636	powershell.exe
Token: SeSecurityPrivilege	3636	powershell.exe
Token: SeTakeOwnershipPrivilege	3636	powershell.exe
Token: SeLoadDriverPrivilege	3636	powershell.exe
Token: SeSystemProfilePrivilege	3636	powershell.exe
Token: SeSystemtimePrivilege	3636	powershell.exe
Token: SeProfSingleProcessPrivilege	3636	powershell.exe
Token: SeIncBasePriorityPrivilege	3636	powershell.exe
Token: SeCreatePagefilePrivilege	3636	powershell.exe
Token: SeBackupPrivilege	3636	powershell.exe
Token: SeRestorePrivilege	3636	powershell.exe
Token: SeShutdownPrivilege	3636	powershell.exe
Token: SeDebugPrivilege	3636	powershell.exe
Token: SeSystemEnvironmentPrivilege	3636	powershell.exe
Token: SeRemoteShutdownPrivilege	3636	powershell.exe
Token: SeUndockPrivilege	3636	powershell.exe
Token: SeManageVolumePrivilege	3636	powershell.exe
Token: 33	3636	powershell.exe
Token: 34	3636	powershell.exe
Token: 35	3636	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 5824	3636	powershell.exe	87
PID 3636 wrote to memory of 5824	3636	powershell.exe	87
PID 5824 wrote to memory of 220	5824	csc.exe	88
PID 5824 wrote to memory of 220	5824	csc.exe	88
PID 1480 wrote to memory of 4900	1480	cmd.exe	95
PID 1480 wrote to memory of 4900	1480	cmd.exe	95
PID 4900 wrote to memory of 4872	4900	powershell.exe	96
PID 4900 wrote to memory of 4872	4900	powershell.exe	96
PID 4872 wrote to memory of 4764	4872	csc.exe	97
PID 4872 wrote to memory of 4764	4872	csc.exe	97
PID 3512 wrote to memory of 5536	3512	cmd.exe	100
PID 3512 wrote to memory of 5536	3512	cmd.exe	100
PID 5536 wrote to memory of 1488	5536	powershell.exe	231
PID 5536 wrote to memory of 1488	5536	powershell.exe	231
PID 1488 wrote to memory of 3152	1488	csc.exe	102
PID 1488 wrote to memory of 3152	1488	csc.exe	102
PID 6124 wrote to memory of 3936	6124	cmd.exe	105
PID 6124 wrote to memory of 3936	6124	cmd.exe	105
PID 3936 wrote to memory of 5296	3936	powershell.exe	106
PID 3936 wrote to memory of 5296	3936	powershell.exe	106
PID 5296 wrote to memory of 5336	5296	csc.exe	169
PID 5296 wrote to memory of 5336	5296	csc.exe	169
PID 2748 wrote to memory of 5960	2748	cmd.exe	112
PID 2748 wrote to memory of 5960	2748	cmd.exe	112
PID 5960 wrote to memory of 2580	5960	powershell.exe	1928
PID 5960 wrote to memory of 2580	5960	powershell.exe	1928
PID 2580 wrote to memory of 3176	2580	csc.exe	1955
PID 2580 wrote to memory of 3176	2580	csc.exe	1955
PID 4900 wrote to memory of 5040	4900	powershell.exe	578
PID 4900 wrote to memory of 5040	4900	powershell.exe	578
PID 5536 wrote to memory of 3100	5536	powershell.exe	116
PID 5536 wrote to memory of 3100	5536	powershell.exe	116
PID 4900 wrote to memory of 1432	4900	powershell.exe	1565
PID 4900 wrote to memory of 1432	4900	powershell.exe	1565
PID 5536 wrote to memory of 2740	5536	powershell.exe	1666
PID 5536 wrote to memory of 2740	5536	powershell.exe	1666
PID 4900 wrote to memory of 4332	4900	powershell.exe	1875
PID 4900 wrote to memory of 4332	4900	powershell.exe	1875
PID 5536 wrote to memory of 436	5536	powershell.exe	1066
PID 5536 wrote to memory of 436	5536	powershell.exe	1066
PID 5536 wrote to memory of 2464	5536	powershell.exe	122
PID 5536 wrote to memory of 2464	5536	powershell.exe	122
PID 4900 wrote to memory of 348	4900	powershell.exe	123
PID 4900 wrote to memory of 348	4900	powershell.exe	123
PID 5536 wrote to memory of 2996	5536	powershell.exe	261
PID 5536 wrote to memory of 2996	5536	powershell.exe	261
PID 4900 wrote to memory of 2176	4900	powershell.exe	196
PID 4900 wrote to memory of 2176	4900	powershell.exe	196
PID 5536 wrote to memory of 3388	5536	powershell.exe	126
PID 5536 wrote to memory of 3388	5536	powershell.exe	126
PID 4900 wrote to memory of 3988	4900	powershell.exe	127
PID 4900 wrote to memory of 3988	4900	powershell.exe	127
PID 5536 wrote to memory of 2288	5536	powershell.exe	128
PID 5536 wrote to memory of 2288	5536	powershell.exe	128
PID 4900 wrote to memory of 5244	4900	powershell.exe	129
PID 4900 wrote to memory of 5244	4900	powershell.exe	129
PID 4900 wrote to memory of 2112	4900	powershell.exe	200
PID 4900 wrote to memory of 2112	4900	powershell.exe	200
PID 5536 wrote to memory of 220	5536	powershell.exe	1500
PID 5536 wrote to memory of 220	5536	powershell.exe	1500
PID 4900 wrote to memory of 2056	4900	powershell.exe	861
PID 4900 wrote to memory of 2056	4900	powershell.exe	861
PID 5536 wrote to memory of 3648	5536	powershell.exe	203
PID 5536 wrote to memory of 3648	5536	powershell.exe	203

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1
1⤵
- Modifies Windows Defender DisableAntiSpyware settings
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Command and Scripting Interpreter: PowerShell
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wutfvdo5\wutfvdo5.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES976D.tmp" "c:\Users\Admin\AppData\Local\Temp\wutfvdo5\CSC63D16D8692484CDAA0463235BCACA1D.TMP"
    3⤵
    PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Command and Scripting Interpreter: PowerShell
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gpnfq1v1\gpnfq1v1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\gpnfq1v1\CSC56A916481EAC46D98DA47E1575D0F310.TMP"
      4⤵
      PID:4764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:348
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:5244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    PID:2112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:3860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    - Clears Windows event logs
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:5948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    PID:5000
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:5992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:1316
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:4568
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:4792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:5448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:5872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:5568
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:2904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:5328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:6004
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:1444
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:116
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:3052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:5172
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:6000
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:316
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
    3⤵
    PID:948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
    3⤵
    PID:5292
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:5568
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
    3⤵
    PID:5172
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
    3⤵
    PID:4140
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
    3⤵
    PID:4632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    PID:640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
    3⤵
    PID:5172
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:3872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
    3⤵
    PID:5340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
    3⤵
    PID:5480
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
    3⤵
    PID:3156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    3⤵
    PID:5208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
    3⤵
    PID:3764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
    3⤵
    PID:5832
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    3⤵
    - Clears Windows event logs
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    3⤵
    PID:1252
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
    3⤵
    PID:1488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
    3⤵
    PID:5136
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
    3⤵
    PID:640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheMonitoring/Analytic
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:5208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
    3⤵
    PID:5136
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentInitialize
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentUninitialize
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Call
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/CreateInstance
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ExtensionCatalog
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/FreeUnusedLibrary
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/RundownInstrumentation
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Activations
    3⤵
    PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Command and Scripting Interpreter: PowerShell
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\urcgq1qo\urcgq1qo.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA529.tmp" "c:\Users\Admin\AppData\Local\Temp\urcgq1qo\CSC1C5054F97F7C46E694E23754302A397.TMP"
      4⤵
      PID:3152
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:2464
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:2996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:3388
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:2288
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    - Clears Windows event logs
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:5212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:4240
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    - Clears Windows event logs
    PID:5336
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:2176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:5636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:4644
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:4340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:5504
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:5328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:2996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:4240
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:6116
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:5040
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:5804
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:1696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:4868
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:4796
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:6116
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:4140
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:5472
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:6100
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
    3⤵
    PID:5832
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
    3⤵
    PID:4612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:6100
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
    3⤵
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
    3⤵
    PID:4216
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    PID:1176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
    3⤵
    PID:6100
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
    3⤵
    PID:4244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:5364
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
    3⤵
    PID:5968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
    3⤵
    PID:1252
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
    3⤵
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
    3⤵
    PID:5364
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:5208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
    3⤵
    PID:5364
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
    3⤵
    PID:5428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:2640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:4292
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheMonitoring/Analytic
    3⤵
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
    3⤵
    PID:5132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentInitialize
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentUninitialize
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Call
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/CreateInstance
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ExtensionCatalog
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/FreeUnusedLibrary
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/RundownInstrumentation
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Activations
    3⤵
    PID:4680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/MessageProcessing
    3⤵
    PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:6124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Modifies Windows Defender DisableAntiSpyware settings
  - Modifies Windows Defender Real-time Protection settings
  - UAC bypass
  - Command and Scripting Interpreter: PowerShell
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pmg5zbiq\pmg5zbiq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5296
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC7C.tmp" "c:\Users\Admin\AppData\Local\Temp\pmg5zbiq\CSC14A385C85A2946A39016EB84E5C9841D.TMP"
      4⤵
      PID:5336
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:4340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    PID:1548
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:2712
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:4384
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:4288
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:3944
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    PID:2112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:5340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:5632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:3412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:1488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:6000
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:3156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:64
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:3144
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:2952
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:4808
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:2328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:5520
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:5852
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:5992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:2412
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:3872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:5464
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:1176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:2032
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:1484
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:5172
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
    3⤵
    PID:5132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:5992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
    3⤵
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:5168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:3624
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:5832
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
    3⤵
    PID:3380
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:1484
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
    3⤵
    PID:1780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
    3⤵
    PID:4244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
    3⤵
    PID:1092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:5480
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    3⤵
    PID:3380
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
    3⤵
    PID:3688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
    3⤵
    PID:5520
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
    3⤵
    PID:3844
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
    3⤵
    PID:5132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
    3⤵
    PID:1888
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
    3⤵
    PID:5972
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational
    3⤵
    PID:4736
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Bthmini/Operational
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-MTPEnum/Operational
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bluetooth-Policy/Operational
    3⤵
    PID:1252
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCache/Operational
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheEventProvider/Diagnostic
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheMonitoring/Analytic
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Analytic
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BranchCacheSMB/Operational
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CAPI2/Operational
    3⤵
    PID:3156
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CDROM/Operational
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Analytic
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentInitialize
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ApartmentUninitialize
    3⤵
    PID:316
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/Call
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/CreateInstance
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/ExtensionCatalog
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/FreeUnusedLibrary
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COM/RundownInstrumentation
    3⤵
    PID:5132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Activations
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/MessageProcessing
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-COMRuntime/Tracing
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-CertPoleEng/Operational
    3⤵
    PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Checks BIOS information in registry
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5960
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mrr4nrxa\mrr4nrxa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB20A.tmp" "c:\Users\Admin\AppData\Local\Temp\mrr4nrxa\CSC95663C1E96054CAD8BCF7EAC99BCBD3.TMP"
      4⤵
      PID:3176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:2904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:2328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    PID:5004
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:5992
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:4540
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:3860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:3332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    PID:5768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:1252
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:1756
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:5404
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:5340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:5936
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:4340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:4792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:3172
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:5168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:1980
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:5900
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:1320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:396
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:64
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:5340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:5168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:5568
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
    3⤵
    PID:5700
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:5168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:4140
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    - Clears Windows event logs
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:4244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
    3⤵
    PID:5464
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
    3⤵
    PID:5520
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
    3⤵
    PID:5464
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:5936
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:2312
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:904
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
    3⤵
    PID:5428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
    3⤵
    PID:4680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
    3⤵
    PID:4508
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:5364
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUser-Client
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AxInstallService/Log
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/HCI
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHPORT/L2CAP
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Diagnostic
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BTH-BTHUSB/Performance
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTaskInfrastructure/Operational
    3⤵
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Backup
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Connections/Operational
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Battery/Diagnostic
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Analytic
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Biometrics/Operational
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Admin
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-DrivePreparationTool/Operational
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker-Driver-Performance/Operational
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    - Clears Windows event logs
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-BitLocker/Tracing
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Analytic
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Bits-Client/Operational
    3⤵
    PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
PID:1204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5176
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rv55bf5q\rv55bf5q.cmdline"
    3⤵
    PID:2916
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB8F.tmp" "c:\Users\Admin\AppData\Local\Temp\rv55bf5q\CSCAB262A6CBC97402491812F798616AE4.TMP"
      4⤵
      PID:5092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:3056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:3352
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:1800
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:5892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:4372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    PID:6072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:1252
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:1348
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:5416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:3624
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:2640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:5208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:3804
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:6048
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:5928
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:4872
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:4060
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:5520
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:4680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:3400
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:1488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:5268
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:6036
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:5092
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:4060
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:6036
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:5340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:5132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
    3⤵
    PID:2032
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:5208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
    3⤵
    PID:840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
    3⤵
    PID:2932
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
    3⤵
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Diagnostic
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Operational
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Restricted
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Analytic
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ApplicabilityEngine/Operational
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:5892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Inventory
    3⤵
    PID:112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Program-Telemetry
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Application-Experience/Steps-Recorder
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Debug
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Operational
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppxPackaging/Performance
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Admin
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccess/Operational
    3⤵
    PID:5824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Admin
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AssignedAccessBroker/Operational
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AsynchronousCausality/Causality
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/CaptureMonitor
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/GlitchDetection
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Informational
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Operational
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/Performance
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audio/PlaybackManager
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Audit/Analytic
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:6068
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController
    3⤵
    PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
PID:5444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1652
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sytx0lbv\sytx0lbv.cmdline"
    3⤵
    PID:5804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC3AE.tmp" "c:\Users\Admin\AppData\Local\Temp\sytx0lbv\CSCA9DB3EEE363544A6B97A509D1E4598ED.TMP"
      4⤵
      PID:3056
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:5292
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:5860
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:1824
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:5136
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:6132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:6052
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:5364
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:5072
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:3640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:5988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:5892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:2640
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:5172
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:4180
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:5132
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:716
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:1532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:2704
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:1988
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:3764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:5016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:5328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:4584
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:5460
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:3844
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:5768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:4416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:2768
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:5832
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:4728
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:5340
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-All-User-Install-Agent/Admin
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Debug
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AllJoyn/Operational
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Admin
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/ApplicationTracing
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Diagnostic
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppHost/Internal
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppID/Operational
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:4588
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:2892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Admin
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Analytic
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Debug
    3⤵
    PID:1212
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-Runtime/Diagnostics
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Debug
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppModel-State/Diagnostic
    3⤵
    PID:5532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Admin
    3⤵
    PID:208
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Debug
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppReadiness/Operational
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppSruProv
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Diagnostic
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeployment/Operational
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AppXDeploymentServer/Debug
    3⤵
    PID:2856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1316
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfinypjf\mfinypjf.cmdline"
    3⤵
    PID:392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE0E.tmp" "c:\Users\Admin\AppData\Local\Temp\mfinypjf\CSC3A35FC08B80C41EF92C279758F53CA4.TMP"
      4⤵
      PID:5852
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" el
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AMSI/Debug
    3⤵
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl AirSpaceChannel
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Analytic
    3⤵
    PID:64
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Application
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowFilterGraph
    3⤵
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl DirectShowPluginControl
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Els_Hyphenation/Analytic
    3⤵
    PID:5780
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl EndpointMapper
    3⤵
    PID:1416
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl FirstUXPerf-Analytic
    3⤵
    PID:5976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl ForwardedEvents
    3⤵
    PID:664
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "General Logging"
    3⤵
    PID:1960
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl HardwareEvents
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl IHM_DebugChannel
    3⤵
    PID:5428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-GPIO/Analytic
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS-I2C/Analytic
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Debug
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-GPIO2/Performance
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Debug
    3⤵
    PID:1468
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Intel-iaLPSS2-I2C/Performance
    3⤵
    PID:940
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Internet Explorer"
    3⤵
    PID:1428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Key Management Service"
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceMFT
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationDeviceProxy
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MF_MediaFoundationFrameServer
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProc
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MedaFoundationVideoProcD3D
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationAsyncWrapper
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationContentProtection
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDS
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationDeviceProxy
    3⤵
    PID:3380
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMP4
    3⤵
    PID:5328
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationMediaEngine
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformance
    3⤵
    PID:3528
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPerformanceCore
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPipeline
    3⤵
    PID:3804
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationPlatform
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl MediaFoundationSrcPrefetch
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client-Streamingux/Debug
    3⤵
    PID:5440
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Admin
    3⤵
    PID:5168
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Debug
    3⤵
    PID:4688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-Client/Operational
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:244
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-AppV-SharedPerformance/Analytic
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Admin
    3⤵
    PID:3020
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Debug
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Client-Licensing-Platform/Diagnostic
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IE/Diagnostic
    3⤵
    PID:2916
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-IEFRAME/Diagnostic
    3⤵
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-JSDumpHeap/Diagnostic
    3⤵
    PID:184
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-OneCore-Setup/Analytic
    3⤵
    PID:5656
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-IEFRAME/Diagnostic
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-PerfTrack-MSHTML/Diagnostic
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:436
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:4680
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:5668
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:5520
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Analytic
    3⤵
    PID:3580
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-AAD/Operational
    3⤵
    PID:764
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ADSI/Debug
    3⤵
    PID:112
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ASN1/Operational
    3⤵
    PID:3688
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/General
    3⤵
    PID:892
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ATAPort/SATA-LPM
    3⤵
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    "C:\Windows\system32\wevtutil.exe" cl Microsoft-Windows-ActionQueue/Analytic
    3⤵
    PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
PID:3168
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  PID:5040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5320
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvrm1fo4\yvrm1fo4.cmdline"
    3⤵
    PID:4760
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD745.tmp" "c:\Users\Admin\AppData\Local\Temp\yvrm1fo4\CSC6A65E3133EC4A639DE01BE7FAE554E4.TMP"
      4⤵
      PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
PID:4028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:664
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4uzerpbv\4uzerpbv.cmdline"
    3⤵
    PID:2560
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1F4.tmp" "c:\Users\Admin\AppData\Local\Temp\4uzerpbv\CSC7564C52860EA4FBDB8C6A19320D2712C.TMP"
      4⤵
      PID:5824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
1⤵
- Hide Artifacts: Hidden Window
PID:5440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\Verdacrypt-Z.ps1" -HiddenRun
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2188
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yttbijwe\yttbijwe.cmdline"
    3⤵
    PID:3616
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBB8.tmp" "c:\Users\Admin\AppData\Local\Temp\yttbijwe\CSC56C6FFBD157B461C9E2DF7F813E23A69.TMP"
      4⤵
      PID:1612

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Window

T1564.003

Impair Defenses

T1562

Disable or Modify Tools

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry