xworm | aa1beca1ce33a11a5c56a8a79d03e38b51339d0fe977495ad72eb8b068b379bc

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	5Bzkgs9t.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4540	powershell.exe
4088	powershell.exe
4244	powershell.exe
4164	powershell.exe
5808	powershell.exe
4764	powershell.exe
6028	powershell.exe
5876	powershell.exe
4936	powershell.exe
4632	powershell.exe
5072	powershell.exe
4904	powershell.exe
2420	powershell.exe
5540	powershell.exe
6064	powershell.exe
5360	powershell.exe
5752	powershell.exe
5424	powershell.exe
5560	powershell.exe
5308	powershell.exe
5840	powershell.exe
4004	powershell.exe
5292	powershell.exe
4424	powershell.exe
5508	powershell.exe
1896	powershell.exe
6004	powershell.exe
2144	powershell.exe
5112	powershell.exe
1816	powershell.exe
3844	powershell.exe
4732	powershell.exe
1872	powershell.exe
5760	powershell.exe
448	powershell.exe
720	powershell.exe
2916	powershell.exe
3872	powershell.exe
556	powershell.exe
1336	powershell.exe
3448	powershell.exe
5592	powershell.exe
4864	powershell.exe
5688	powershell.exe
456	powershell.exe
1584	powershell.exe
5700	powershell.exe
1216	powershell.exe
2248	powershell.exe
4772	powershell.exe
2820	powershell.exe
5476	powershell.exe
5252	powershell.exe
2996	powershell.exe
4724	powershell.exe
4760	powershell.exe
3468	powershell.exe
4464	powershell.exe
948	powershell.exe
5188	powershell.exe
5176	powershell.exe
1012	powershell.exe
5004	powershell.exe
4372	powershell.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL"	w32tm.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5Bzkgs9t.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5Bzkgs9t.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	fwanufwa.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	XClient.exe

Executes dropped EXE 4 IoCs

pid	Process
4552	5Bzkgs9t.exe
3708	XClient.exe
4380	XClient.exe
4088	XClient.exe

Themida packer 20 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000e000000023b89-6.dat	themida
behavioral2/memory/4552-23-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-24-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-25-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-26-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-27-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-155-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-223-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-305-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-561-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-628-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-696-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-763-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-855-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-918-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-999-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-1070-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-1131-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-1201-0x0000000140000000-0x00000001428C5000-memory.dmp	themida
behavioral2/memory/4552-1283-0x0000000140000000-0x00000001428C5000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	XClient.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5Bzkgs9t.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\D:	MBR2GPT.EXE
File opened (read-only)	\??\F:	MBR2GPT.EXE
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe
File opened (read-only)	\??\D:	fsutil.exe
File opened (read-only)	\??\F:	fsutil.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	vds.exe
File opened for modification	\??\PhysicalDrive0	MBR2GPT.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	ReAgentc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4552	5Bzkgs9t.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-7CFEDEA3.pf	powershell.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	vds.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-6F2A95AF.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WFSERVICESREG.EXE-3EE82250.pf	powershell.exe
File opened for modification	C:\Windows\diagerr.xml	MBR2GPT.EXE
File opened for modification	C:\Windows\Prefetch\ResPriHMStaticDb.ebd	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-23EA2E5B.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\FSQUIRT.EXE-BBD9646E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-16AF9B6E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TIWORKER.EXE-C101ABCD.pf	powershell.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	ReAgentc.exe
File opened for modification	C:\Windows\Prefetch\JA7KRI.EXE-6FB30C08.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-0521102C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E66A223C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-AED2006F.pf	powershell.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	ReAgentc.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-99F89D15.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-D9106866.pf	powershell.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	ReAgentc.exe
File opened for modification	C:\Windows\setupact.log	MBR2GPT.EXE
File opened for modification	C:\Windows\Prefetch\APPLICATIONFRAMEHOST.EXE-CCEEF759.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTRANSFERHOST.EXE-CF5B50C1.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-56E309E9.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-4DE02988.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-BC366267.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot\rblayout.xin	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-DB926CB0.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\FILESYNCCONFIG.EXE-CB60E6FA.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\SVCHOST.EXE-F027B880.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ONEDRIVESETUP.EXE-8CE5A462.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-641DCE1C.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-B2C296EF.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-3ED30A86.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-A5891C91.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\BACKGROUNDTASKHOST.EXE-ACEF2FA2.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-504C779A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98C67737.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf	powershell.exe
File opened for modification	C:\Windows\setuperr.log	MBR2GPT.EXE
File opened for modification	C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl	powershell.exe
File opened for modification	C:\Windows\Prefetch\ReadyBoot	powershell.exe
File opened for modification	C:\Windows\Prefetch\AgGlGlobalHistory.db	powershell.exe
File opened for modification	C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-EC979AE0.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\WLRMDR.EXE-C2B47318.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\ASPNET_REGIIS.EXE-945CDB73.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-156D43F1.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\NGEN.EXE-AE594A6B.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNTIMEBROKER.EXE-B1A87C0F.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\TASKHOSTW.EXE-3E0B74C8.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7E8D1C35.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-7F337F0A.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf	powershell.exe
File opened for modification	C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf	powershell.exe

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1372	sc.exe
948	sc.exe
1776	sc.exe
4724	sc.exe
2384	sc.exe
5616	sc.exe
4448	sc.exe
4460	sc.exe
3396	sc.exe
4300	sc.exe
3224	sc.exe
4736	sc.exe
2088	sc.exe
3836	sc.exe
5496	sc.exe
3944	sc.exe
1808	sc.exe
6028	sc.exe
5508	sc.exe
3792	sc.exe
5876	sc.exe
5320	sc.exe
5276	sc.exe
5504	sc.exe
1776	sc.exe
2260	sc.exe
2672	sc.exe
4452	sc.exe
5608	sc.exe
2248	sc.exe
5160	sc.exe
5328	sc.exe
5336	sc.exe
2184	sc.exe
6060	sc.exe
4652	sc.exe
3004	sc.exe
5460	sc.exe
6092	sc.exe
3220	sc.exe
5340	sc.exe
5512	sc.exe
5020	sc.exe
5152	sc.exe
1896	sc.exe
6100	sc.exe
1816	sc.exe
3468	sc.exe
4936	sc.exe
1908	sc.exe
4968	sc.exe
5844	sc.exe
5416	sc.exe
4464	sc.exe
1940	sc.exe
6092	sc.exe
3224	sc.exe
5868	sc.exe
5460	sc.exe
1880	sc.exe
4960	sc.exe
5444	sc.exe
4928	sc.exe
4428	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 25 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e45bd8429919154b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e45bd8420000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900e45bd842000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de45bd842000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e45bd84200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e45bd8421cfceb560000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e45bd8420000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900e45bd842000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000002700010000d87c1de45bd842000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de45bd842000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e45bd8429619152b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e45bd8420000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e45bd842000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de45bd842000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e45bd84200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e45bd8421cfc06570000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e45bd8420000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900e45bd842000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000000c00010000d87c1de45bd842000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de45bd842000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	vds.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

pid	Process
2904	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE	5Bzkgs9t.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4244	powershell.exe
4244	powershell.exe
1100	powershell.exe
1100	powershell.exe
2804	powershell.exe
2804	powershell.exe
2116	powershell.exe
2116	powershell.exe
436	powershell.exe
436	powershell.exe
456	powershell.exe
456	powershell.exe
4640	powershell.exe
4640	powershell.exe
2116	powershell.exe
436	powershell.exe
456	powershell.exe
4640	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
3448	powershell.exe
3448	powershell.exe
3448	powershell.exe
984	powershell.exe
984	powershell.exe
984	powershell.exe
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe
3708	XClient.exe
3708	XClient.exe
3244	powershell.exe
3244	powershell.exe
3244	powershell.exe
4904	powershell.exe
4904	powershell.exe
4904	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
4760	powershell.exe
4760	powershell.exe
4760	powershell.exe
1872	powershell.exe
1872	powershell.exe
1872	powershell.exe
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
4772	powershell.exe
4772	powershell.exe
4772	powershell.exe
4632	powershell.exe
4632	powershell.exe
4632	powershell.exe
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
948	powershell.exe
948	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4720	vds.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	XClient.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeSystemtimePrivilege	392	svchost.exe
Token: SeSystemtimePrivilege	392	svchost.exe
Token: SeIncBasePriorityPrivilege	392	svchost.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeSystemEnvironmentPrivilege	436	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeSystemtimePrivilege	392	svchost.exe
Token: SeDebugPrivilege	3708	XClient.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	4904	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeSystemtimePrivilege	324	svchost.exe
Token: SeSystemtimePrivilege	324	svchost.exe
Token: SeIncBasePriorityPrivilege	324	svchost.exe
Token: SeSystemtimePrivilege	324	svchost.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	4772	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeTakeOwnershipPrivilege	2312	ReAgentc.exe
Token: SeBackupPrivilege	4976	MBR2GPT.EXE
Token: SeRestorePrivilege	4976	MBR2GPT.EXE
Token: SeSecurityPrivilege	4976	MBR2GPT.EXE
Token: SeRestorePrivilege	4976	MBR2GPT.EXE
Token: SeRestorePrivilege	4976	MBR2GPT.EXE
Token: SeDebugPrivilege	4688	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeRestorePrivilege	4720	vds.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	4380	XClient.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	6028	powershell.exe
Token: SeDebugPrivilege	5188	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeDebugPrivilege	5292	powershell.exe
Token: SeDebugPrivilege	5360	powershell.exe
Token: SeDebugPrivilege	5476	powershell.exe
Token: SeDebugPrivilege	3468	powershell.exe
Token: SeDebugPrivilege	5548	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	5424	powershell.exe
Token: SeDebugPrivilege	5560	powershell.exe
Token: SeDebugPrivilege	5844	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4552	5Bzkgs9t.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4552	5Bzkgs9t.exe
3708	XClient.exe
4552	5Bzkgs9t.exe
4552	5Bzkgs9t.exe
4552	5Bzkgs9t.exe
4552	5Bzkgs9t.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4552	1072	fwanufwa.exe	83
PID 1072 wrote to memory of 4552	1072	fwanufwa.exe	83
PID 1072 wrote to memory of 3708	1072	fwanufwa.exe	84
PID 1072 wrote to memory of 3708	1072	fwanufwa.exe	84
PID 4552 wrote to memory of 4244	4552	5Bzkgs9t.exe	89
PID 4552 wrote to memory of 4244	4552	5Bzkgs9t.exe	89
PID 3708 wrote to memory of 1100	3708	XClient.exe	93
PID 3708 wrote to memory of 1100	3708	XClient.exe	93
PID 4552 wrote to memory of 1512	4552	5Bzkgs9t.exe	96
PID 4552 wrote to memory of 1512	4552	5Bzkgs9t.exe	96
PID 1512 wrote to memory of 1932	1512	net.exe	98
PID 1512 wrote to memory of 1932	1512	net.exe	98
PID 3708 wrote to memory of 2804	3708	XClient.exe	99
PID 3708 wrote to memory of 2804	3708	XClient.exe	99
PID 4552 wrote to memory of 3516	4552	5Bzkgs9t.exe	101
PID 4552 wrote to memory of 3516	4552	5Bzkgs9t.exe	101
PID 4552 wrote to memory of 4016	4552	5Bzkgs9t.exe	174
PID 4552 wrote to memory of 4016	4552	5Bzkgs9t.exe	174
PID 4552 wrote to memory of 3696	4552	5Bzkgs9t.exe	105
PID 4552 wrote to memory of 3696	4552	5Bzkgs9t.exe	105
PID 3696 wrote to memory of 4684	3696	net.exe	107
PID 3696 wrote to memory of 4684	3696	net.exe	107
PID 4552 wrote to memory of 2116	4552	5Bzkgs9t.exe	110
PID 4552 wrote to memory of 2116	4552	5Bzkgs9t.exe	110
PID 4552 wrote to memory of 456	4552	5Bzkgs9t.exe	111
PID 4552 wrote to memory of 456	4552	5Bzkgs9t.exe	111
PID 4552 wrote to memory of 436	4552	5Bzkgs9t.exe	112
PID 4552 wrote to memory of 436	4552	5Bzkgs9t.exe	112
PID 3708 wrote to memory of 4640	3708	XClient.exe	116
PID 3708 wrote to memory of 4640	3708	XClient.exe	116
PID 4552 wrote to memory of 3812	4552	5Bzkgs9t.exe	118
PID 4552 wrote to memory of 3812	4552	5Bzkgs9t.exe	118
PID 3708 wrote to memory of 396	3708	XClient.exe	120
PID 3708 wrote to memory of 396	3708	XClient.exe	120
PID 4552 wrote to memory of 1372	4552	5Bzkgs9t.exe	122
PID 4552 wrote to memory of 1372	4552	5Bzkgs9t.exe	122
PID 4552 wrote to memory of 1584	4552	5Bzkgs9t.exe	124
PID 4552 wrote to memory of 1584	4552	5Bzkgs9t.exe	124
PID 4552 wrote to memory of 4724	4552	5Bzkgs9t.exe	165
PID 4552 wrote to memory of 4724	4552	5Bzkgs9t.exe	165
PID 4552 wrote to memory of 3448	4552	5Bzkgs9t.exe	128
PID 4552 wrote to memory of 3448	4552	5Bzkgs9t.exe	128
PID 4552 wrote to memory of 984	4552	5Bzkgs9t.exe	157
PID 4552 wrote to memory of 984	4552	5Bzkgs9t.exe	157
PID 4552 wrote to memory of 1680	4552	5Bzkgs9t.exe	132
PID 4552 wrote to memory of 1680	4552	5Bzkgs9t.exe	132
PID 4552 wrote to memory of 3624	4552	5Bzkgs9t.exe	135
PID 4552 wrote to memory of 3624	4552	5Bzkgs9t.exe	135
PID 4552 wrote to memory of 4668	4552	5Bzkgs9t.exe	187
PID 4552 wrote to memory of 4668	4552	5Bzkgs9t.exe	187
PID 4552 wrote to memory of 2036	4552	5Bzkgs9t.exe	139
PID 4552 wrote to memory of 2036	4552	5Bzkgs9t.exe	139
PID 4552 wrote to memory of 820	4552	5Bzkgs9t.exe	141
PID 4552 wrote to memory of 820	4552	5Bzkgs9t.exe	141
PID 4552 wrote to memory of 5020	4552	5Bzkgs9t.exe	143
PID 4552 wrote to memory of 5020	4552	5Bzkgs9t.exe	143
PID 4552 wrote to memory of 4460	4552	5Bzkgs9t.exe	145
PID 4552 wrote to memory of 4460	4552	5Bzkgs9t.exe	145
PID 3708 wrote to memory of 2904	3708	XClient.exe	147
PID 3708 wrote to memory of 2904	3708	XClient.exe	147
PID 4552 wrote to memory of 1816	4552	5Bzkgs9t.exe	148
PID 4552 wrote to memory of 1816	4552	5Bzkgs9t.exe	148
PID 820 wrote to memory of 4672	820	net.exe	149
PID 820 wrote to memory of 4672	820	net.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fwanufwa.exe
"C:\Users\Admin\AppData\Local\Temp\fwanufwa.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1072
- C:\ProgramData\5Bzkgs9t.exe
  "C:\ProgramData\5Bzkgs9t.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command Remove-Item 'C:\ProgramData\5Bzkgs9t.exe.bak' -force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4244
- - C:\Windows\SYSTEM32\net.exe
    net stop w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop w32time
      4⤵
      PID:1932
- - C:\Windows\SYSTEM32\w32tm.exe
    w32tm /unregister
    3⤵
    PID:3516
- - C:\Windows\SYSTEM32\w32tm.exe
    w32tm /register
    3⤵
    - Sets DLL path for service in the registry
    PID:4016
- - C:\Windows\SYSTEM32\net.exe
    net start w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 start w32time
      4⤵
      PID:4684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell (GWMI Win32_Processor).VirtualizationFirmwareEnabled
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "$env:firmware_type"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -command "confirm-securebootuefi"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3812
- - C:\Windows\SYSTEM32\w32tm.exe
    w32tm /resync /force
    3⤵
    PID:1372
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:1584
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:3624
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4668
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:2036
- - C:\Windows\SYSTEM32\net.exe
    net stop w32time
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop w32time
      4⤵
      PID:4672
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:5020
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:4460
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:1816
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:2056
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:872
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:3580
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:1820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3244
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:768
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4632
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4016
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:2752
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:3468
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:1296
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:4928
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3840
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:4668
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:1808
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:1820
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4308
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:816
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:4484
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:1940
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:1476
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:392
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:1372
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:4012
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:3252
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:4548
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:3464
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1940
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:4428
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:2424
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c reagentc /enable
    3⤵
    PID:3676
  - - C:\Windows\system32\ReAgentc.exe
      reagentc /enable
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:2312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c mbr2gpt /convert /allowFullOS
    3⤵
    PID:920
  - - C:\Windows\system32\MBR2GPT.EXE
      mbr2gpt /convert /allowFullOS
      4⤵
      Enumerates connected drives
      Writes to the Master Boot Record (MBR)
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      PID:4976
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2752
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:2672
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4424
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:2056
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4332
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4516
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:3836
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:968
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:984
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:3928
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:4768
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:3940
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4300
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:656
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4452
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:684
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:4260
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:3468
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:4936
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:4404
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2088
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:1908
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:324
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4764
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:4392
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:3792
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:948
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:3224
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:3396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.diskpart.com/features/convert-mbr-gpt.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4036
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9365146f8,0x7ff936514708,0x7ff936514718
      4⤵
      PID:4100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13535255263110697643,4976725457456784480,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,13535255263110697643,4976725457456784480,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
      4⤵
      PID:4628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,13535255263110697643,4976725457456784480,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13535255263110697643,4976725457456784480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13535255263110697643,4976725457456784480,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:4772
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5364
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5412
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:5460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5188
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:5356
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5364
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:5452
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:5496
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:5588
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5640
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5692
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5736
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5796
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:5876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4764
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5784
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:5540
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    PID:6068
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:4572
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:2420
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:2424
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:1196
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5172
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:6100
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:6072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5476
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5688
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4732
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5736
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:5868
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:1564
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5944
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:4300
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5996
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:4452
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:4772
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:6132
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:6112
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:656
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:5320
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5200
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5252
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5376
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:5460
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5844
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5884
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:3912
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    PID:4904
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:3240
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:5608
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:1776
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:4216
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5532
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5852
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:1196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5308
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:4556
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5468
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:5356
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:5656
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:5628
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5764
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5772
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:720
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:3944
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5004
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:6128
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:2820
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:388
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:5132
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:4952
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:6092
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:1608
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5224
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5308
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:4676
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:3448
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5796
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:4300
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:3440
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:3220
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:2860
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:1808
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:1872
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:5152
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:3244
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5324
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5316
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:6096
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:6028
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:5328
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:3836
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:5336
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2492
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:5416
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5840
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:4644
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5888
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:3608
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:2384
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:4968
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5508
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5808
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:948
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5520
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2916
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:6060
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:6116
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:984
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:5472
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:5368
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:5276
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:4692
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5200
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5496
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5252
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3872
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:3440
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5296
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:720
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:4904
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:4960
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:5508
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:2764
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2248
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:5340
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:1296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:2960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:4768
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:6104
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:6076
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4952
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:5320
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:984
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:1608
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:3836
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3792
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:5444
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1896
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:3576
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:5108
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4504
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:4640
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:5552
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5152
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:1244
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2204
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5812
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:3620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:3512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:2424
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5284
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:1480
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5320
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:2176
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:1608
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5436
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5384
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5732
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:4448
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4936
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:3240
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4484
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:208
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:2488
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:816
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:4408
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:3084
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:6012
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:4464
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:3620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5176
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:6072
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:1280
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4304
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:948
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:5504
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:1032
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5452
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5492
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5744
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:5224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5252
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5952
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4960
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:6004
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:5160
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:5544
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:1776
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:1144
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:4984
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:2412
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:3084
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4864
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:5604
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4496
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4768
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:6072
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:6092
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:2248
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5156
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5348
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5260
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:1412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3844
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5904
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5972
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:5996
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:3608
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:2384
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:5924
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:4640
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5160
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:5508
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:4328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1216
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5204
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:848
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5304
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:4740
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:2184
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:5512
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5280
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:5176
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:6064
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2996
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:696
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5656
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5476
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:5676
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:5616
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:4684
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    - Launches sc.exe
    PID:5844
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3888
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:3468
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:3572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4464
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    PID:316
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4972
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:2752
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:2424
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    - Launches sc.exe
    PID:6060
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:2924
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:2840
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:392
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:1480
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    - Launches sc.exe
    PID:4736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4732
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:5752
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:5688
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Deletes NTFS Change Journal
    - Enumerates connected drives
    PID:4064
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    PID:4260
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:5312
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    PID:1908
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:5564
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:3580
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:968
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4004
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:2928
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Enumerates connected drives
    PID:4368
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d F:
    3⤵
    - Enumerates connected drives
    PID:1296
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SysMain"
    3⤵
    - Launches sc.exe
    PID:2088
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SysMain" start=disabled
    3⤵
    PID:2024
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "SuperFetch"
    3⤵
    - Launches sc.exe
    PID:4652
- - C:\Windows\SYSTEM32\sc.exe
    sc config "SuperFetch" start=disabled
    3⤵
    PID:6040
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil behavior set disablelastaccess 1
    3⤵
    PID:2036
- - C:\Windows\SYSTEM32\sc.exe
    sc stop "PcaSvc"
    3⤵
    PID:6008
- - C:\Windows\SYSTEM32\sc.exe
    sc config "PcaSvc" start=disabled
    3⤵
    PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"
    3⤵
    PID:5660
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d C:
    3⤵
    - Deletes NTFS Change Journal
    PID:4316
- - C:\Windows\SYSTEM32\fsutil.exe
    fsutil usn deletejournal /d D:
    3⤵
    - Deletes NTFS Change Journal
    PID:5704
- C:\ProgramData\XClient.exe
  "C:\ProgramData\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "XClient" /tr "C:\Users\Admin\AppData\Roaming\XClient.exe"
    3⤵
    - Creates scheduled task(s)
    PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s w32time
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:4720

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

C:\Users\Admin\AppData\Roaming\XClient.exe
C:\Users\Admin\AppData\Roaming\XClient.exe
1⤵
- Executes dropped EXE
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery