Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
10/10/2024, 23:25
General
-
Target
MfYecZ9i.exe
-
Size
27.9MB
-
MD5
34e055a67b10a1a14994b6b3457698e2
-
SHA1
6b299dca56f55a0656b23fd035f4353dc049343a
-
SHA256
01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
-
SHA512
8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
-
SSDEEP
786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3
Score
10/10
Malware Config
Signatures
-
Deletes NTFS Change Journal 2 TTPs 60 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Renames multiple (509) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
-
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 5 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 14 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 64 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in System32 directory 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Boot or Logon Autostart Execution: Time Providers 1 TTPs 32 IoCs
The Windows Time service (W32Time) enables time synchronization across and within domains.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Hide Artifacts: Ignore Process Interrupts 1 TTPs 60 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
-
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Checks SCSI registry key(s) 3 TTPs 25 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 1 IoCs
-
NTFS ADS 4 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 11 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe"C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe.bak' -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
-
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /unregister2⤵
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /register2⤵
- Server Software Component: Terminal Services DLL
- Boot or Logon Autostart Execution: Time Providers
-
-
C:\Windows\SYSTEM32\net.exenet start w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start w32time3⤵
- System Time Discovery
-
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /resync /force2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Drops file in Windows directory
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get VirtualizationFirmwareEnabled2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$env:firmware_type"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "confirm-securebootuefi"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reagentc /enable2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ReAgentc.exereagentc /enable3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbr2gpt /convert /allowFullOS2⤵
-
C:\Windows\system32\MBR2GPT.EXEmbr2gpt /convert /allowFullOS3⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.diskpart.com/features/convert-mbr-gpt.html2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde1ef46f8,0x7ffde1ef4708,0x7ffde1ef47183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4956 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6540 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:13⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3576 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 /prefetch:83⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,3302358283804301456,934993412026620440,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3520 /prefetch:23⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /C timeout /t 1 /nobreak > nul & del "C:\Users\Admin\AppData\Local\Temp\MfYecZ9i.exe"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 1 /nobreak3⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s w32time1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: LoadsDriver
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CoronaVirus (1).exe"C:\Users\Admin\Downloads\CoronaVirus (1).exe"1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
-
C:\Windows\system32\mode.commode con cp select=12513⤵
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵
-
-
C:\Users\Admin\Downloads\CoronaVirus (1).exe"C:\Users\Admin\Downloads\CoronaVirus (1).exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Users\Admin\Downloads\RedEye.exe"C:\Users\Admin\Downloads\RedEye.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Time Providers
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Time Providers
1Create or Modify System Process
3Windows Service
3Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
3File Deletion
3Modify Registry
5Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD58411831739eee12d965d48e6607a65d8
SHA18660006203dcf6555bb432284d68c00566b45c46
SHA2564df4db757da3c481c3c823a15969045d9857d2e97882ea7ebf80ef5147414e1b
SHA512968d23480f52249f48e4b0f34142c5172b1bb9598ba99646d7153f4aa69c3e5871f48982c39d0075c748ef5801fc6876ebbd0c0ba4ca7a98641e4b84b9c2f800
-
Filesize
2KB
MD510e624ec749193e3ec4e8e73e2d74ccd
SHA1a4200f61c224af1af1e58eec4c83623b2851729c
SHA256ee3ab03ec8e520c50ab249e06c76761e988a674ddc4fa4bf58cf7e66c8a099a1
SHA512cae9adc6aaf954d1f999f3c6540c0a3060e74b80b5644118c1e87c37dd47e5576cf315b58d76c0cdeb95dc9cdfb2511763f7fa6873662c47c3f8e76c8602c481
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
3KB
MD52a5ce7a6c21384bf768735e0afbd053b
SHA17854ecad2ad71a80e31efcde0992a0dd78efa1a0
SHA25619c268a84664155e97f584b5a365399dea3e2c8f3a93f7ce9b904955aa6aab5d
SHA512bf58eef4d2081e061647dcaa0b1db7e274bcf1f581b48fbef070b9b371240fcd3f98eca95b44e8b4754615d3b9de0baa5a4ae65b8d6a6a852246bb1d5196dabe
-
Filesize
3KB
MD5a34a317782e824d5d903867071a8e783
SHA16fca7875116655d46d7eee8d0ef1710323cbfba2
SHA256a8a1a484a9ba7a984b2dab6a37feb2a21ff755d159ab061f51cbb341935a7d5e
SHA51234d05ddab014ae8639857134d6043832913cbfe46aa2bf032c006a791c9248a61e8ca5cb9fb6063d08355d44f844e7582cfb67b3bbbe79be2c4028daf1760a4b
-
Filesize
6KB
MD5dcc336aa325f35c0ed6511403067c3e0
SHA1dcf9be25ff8fd7b506237eb5a9c30220382a3530
SHA2566710ce8661cda5e57907926ec8f72cf866f65e96c9d7560f727a0b659ffbfbf5
SHA512e2223a164d7c39adaa80ed9fa1e8b5c88a5b0fdb51ed72975aabf6895e60da6bc968796ae7641f811a54ce9f07c46bf1d2329890066d6f5d8a32f25e274fdbde
-
Filesize
8KB
MD5b88aab103945c2aa391be7a616377374
SHA1e9924ef6ff033fafc98b5ac0b09f0f1bae7b6d19
SHA25684ee20952503a350994331d9a7b9c03654b01eb817576a2416de514b04bd154f
SHA5123d7bd5857ec24e37457f931823baae4800b3d96c556895bc181922eb3925c5900fc1ac5dd726be2d9cccd3c0150689aaee688be215941529afc298a0b28a040c
-
Filesize
9KB
MD54bdd7899b7a1ce0d9b56d07a4d07e0a8
SHA174cdf04dfc0dc5396fe35978ea4527f897f73350
SHA256149328436d5ec4ca2d94fcd3c3fc80b1694a849bbf3c0b8032adf6205f938f7e
SHA51234a3de63cf4dae06e9f4b0e870d580f3b68222ed2687cda3b04d17ec12bab0c520515ebdd077651113c3060b03a317f7a7b6dfa5974bdc0008c3ab67c00ba032
-
Filesize
8KB
MD5497fec30d38b8ca03d129ae683eccbae
SHA19377ad494c58307c8878b94ff947d49b4aa9f8f4
SHA2560407c8be830a5bdaf94a1909d16184928af3ffd62c1cd53ebc6721616928349b
SHA5127ae70cf535ab491380be5e49e27098592e570fe72a915bded8fdb3fe6ff513cd8725c5605e12879fc7a228ace07e1e78056de636898a29d918d86691519fa5e8
-
Filesize
9KB
MD5861bb9e09bf9962b5f3d4f9e23bf052e
SHA1b4a814471cf022ac644a236ce86f95d26145c0ef
SHA2561df5c3cec510551a19d6772a4f9fce67c81667a8cc9300f6a9c18b8efe71ff27
SHA512be8f22cecd337301e92df2dc81f0ad8b9457939a8d4df06c4cf04fb6bab8748cac8cf3a1a1f57752170d665faa48d6a662b2aa05c33215693c9c554c598e04cc
-
Filesize
1KB
MD5e37a71a523f39a78c7bd9dbf5fb96c6c
SHA145d2e21afde824bbc3e8446cb78d51f3d96800db
SHA2566f06c7559a029aadccb921a6bb9a9d5327a79034c51e11bc7d26a11cdb427640
SHA51240387fa62c776fbacc73f42e34c38155ec5e1191f2a37288d5a05aab31aac94034c2f1a6cd49a05d93d8ff86dd70301e1652dd5afaaa7b3625cf8c81d7a59480
-
Filesize
1KB
MD54f60ddafaf177c698ff9346d72d53628
SHA175e1147f2f9a997683b5f91abe2828513ca0dd4d
SHA256a91fd0ab4cb56cfe9fb0e3354bba8bc6469eed909759be0859be97e76f2dbb5d
SHA512dd2fc6a2ff701bd53c69293d95e3c270e1d9c5802e81f40970dfde7c8949592bb561ccf14265618af93f08da8ed00f8b61cb7f0ae8a334abe85d00dfe7c7e6ed
-
Filesize
1KB
MD5a18125eedcddf7d4324fb7536e01d161
SHA138c41267e8165245d3250b2fab405bab66326a2f
SHA25666d15e982a36f6aaa17cda7b1cd2f4c920ded466255d763c01b35743244f947f
SHA512fa1bdc3957b96fe36b57fc2ab301a219834bca8bf0397cdd128e9807c2c2c9d452f1cd8008813a2e89680bb4ec0e7c066f1c0933d0f754a8c0115ff7026a6d46
-
Filesize
1KB
MD55c4c291f8e0dca347beddbf0624266ca
SHA15953a54e7a4a2b56780d209ab2cd81d0a53043d2
SHA25657ff41caabc25d1608354b111cd24e6a8904aa30bd32cfb3b9e351f02e3edd19
SHA512641e9b5dad6ae936b44dcec2e15c05f63dd59f58a5f78a968e085d52b5cd538f33f7057701bf5ac55d794c6ee36d73de367d03224e03227e0b28772ebf4b9906
-
Filesize
371B
MD5d2df49e0053694b7a8af775466d0e18f
SHA10925929613fcc575920b9648c26e36096013cd5b
SHA256a51895ab5ad1ad3dad8caa5851beb78cbd91125a1b3d7fcce72dc160ff4a078f
SHA512076bf14826379c5a71b1bb317733ce32e1832dff2e882e6812e0f995a7fb693230edc79dcbde2e7136dc81fc677422431330479dd3d231ea3f2bebb3848d07d9
-
Filesize
1KB
MD518ab2e8144572b1fbacf133bf994fbbb
SHA10405ca95d7bb6b72cac72241d3ab03a0bffc4e96
SHA256b2c7eb1fd0c46e1ccee23cb5fbe78cd49ae20ca2fc79849d853765c772e40e8e
SHA51230c126face6ac65af7c427c22d92188af743a1e3d2433a46a0207802ef59fe5da8578232b3f24ee3bc8920d46585db4b85676f8d95101494cff4a3947f851254
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53cf7a830d66b98cb5537f94cd0b87cdd
SHA1d751129adf4632519d94ad17a9d74348a36d1e27
SHA256f215335fef27fe48f9b4a5340b16dd92d1bf961e01b3e98eefc431b60fe5f15a
SHA512c9d488564b9075458175c70fe9b5cd01a85cbf7613f082c1b593a9d3eaf563933a37ec6a1f9dfed0efb9109bb519062cba5412cdb381cb9352afa5721662af7b
-
Filesize
11KB
MD51bb8f6f4f43070f6a47a6801793f749e
SHA174473654b9e1e1e2701a090292f77e5e1c2da2aa
SHA256041b8bf6643b821b27bd0b7a8d33a0624725734d77b5a986247cf31f3ce62892
SHA51296bb353683037a7a8ae9a79efc92974834f35f597ea468f964ec453aec25607dfa009aa7ba2f09a4a759789dbe274164f4cd9ff6e317e5fbd319b652b9692ee1
-
Filesize
11KB
MD5eedfa2ea38b6e72bf2cb0b7bf99e2582
SHA1e3e5aac1fec9fd7e7ea546958bfefb9d0502023c
SHA256c1b7ea3620244995776192bd14efdd7477d41c19e4c7367e005b08fa2179a3eb
SHA5126d22ab65296bf5a35eaeb30f9b0c6d22c5db00e981ae2a6a796971f8b939af617295b072ff7a43a49f9a379718634e0f49757b9ef0b74452da00492754a05485
-
Filesize
1KB
MD595b7b0872a81ae4329440a0812af4eac
SHA1facbdb5356b3341d47239d8d494185d97563eefa
SHA2562b457a34a0c728eec513fd5eec42226e75c2d58ff73ff60f59f87399e9e370d5
SHA512474146d68015a51d6104c8e5217a2e8f017f60c71294a47716eb14c874243a996977e31d30a7d80b263e0ba731d2dd917e165552efb3b2b1f0aaa4f4f00806f9
-
Filesize
64B
MD5dab881e3eedccb2de1c0788303ac393e
SHA1bc89edbcc664643447326656d6d1e387a4355cf5
SHA25609718b651ff160a31e5895981b5cfa70e9c3e8c2b8cf802ddd4920ab85ec56f1
SHA5123b9980dc5fa5f4f006658a3ccfe196fc6bd0e5f80d6d97b908e82b842a996e23181f8d817202801362c10257cbd6de1ca214610d6ad13131f02ac19e079ca3b8
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1020B
MD5f7008ed1313695169be572150801235c
SHA1c14a9659b8c619060ccd826002cb31ef6da24b69
SHA256e255e081f9ad6eb39ec2912a50720570563621bf6ecdcd6036ec94c6a4b30751
SHA512027df89bf352f08b56df82d8cb00e1699b4d1f3e5799047beb967d189a414a98257eab11b8b96f445ff0e67e9a87d21cc926a425bac6996a29abf043f5cc8aa0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.6MB
MD5e9e5596b42f209cc058b55edc2737a80
SHA1f30232697b3f54e58af08421da697262c99ec48b
SHA2569ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
SHA512e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
Filesize
1KB
MD5bdefeb1aa8afa75e36bcc68613412e75
SHA168d92774e5695971aea5acc61a74c62dbb43efab
SHA256c5c3e183e13c2dc76eee80639bfdecc0ec64f0bae1b3b94561e037a52c989046
SHA5125b15c1e47305f19cc6659e026e67da1c9a649784c7f21a6f20f42442669d346fa7ad52d95e579fea83389b1214ab21c4be940ba93335be5b10063580bd1ab94c
-
Filesize
2.0MB
-
Filesize
136KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
8KB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
50.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
10.6MB
-
Filesize
16.1MB
-
Filesize
24KB