Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-10-2024 00:42
Behavioral task
behavioral1
Sample
0BzMzlmT.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0BzMzlmT.exe
Resource
win10v2004-20241007-en
General
-
Target
0BzMzlmT.exe
-
Size
27.9MB
-
MD5
34e055a67b10a1a14994b6b3457698e2
-
SHA1
6b299dca56f55a0656b23fd035f4353dc049343a
-
SHA256
01b6ee7d4a8b358ef51e4f2d19f75ff4de4d4acab7c56f2a3063e4b35847dd09
-
SHA512
8437dde18940cf8197d25f729bbaaf0803b81ffa1ed13128c91e6e3a65f01fc8253a19badc6e71c187928832dbabb03cf45ddc392e19e4c5dc6f741ada13d218
-
SSDEEP
786432:PPhOXo+/5eJC7HRCyM1yMRUEvTHBfBRcda3:3AY+/4JOlQ7PRco3
Malware Config
Signatures
-
Deletes NTFS Change Journal 2 TTPs 64 IoCs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
pid Process 2628 fsutil.exe 5496 fsutil.exe 5688 fsutil.exe 5700 fsutil.exe 2304 fsutil.exe 5768 fsutil.exe 5580 fsutil.exe 4712 fsutil.exe 6060 fsutil.exe 536 fsutil.exe 5212 fsutil.exe 1912 fsutil.exe 5496 fsutil.exe 4692 fsutil.exe 5352 fsutil.exe 5352 fsutil.exe 712 fsutil.exe 4240 fsutil.exe 4220 fsutil.exe 3172 fsutil.exe 640 fsutil.exe 5412 fsutil.exe 5780 fsutil.exe 5864 fsutil.exe 1676 fsutil.exe 5264 fsutil.exe 5764 fsutil.exe 5996 fsutil.exe 5188 fsutil.exe 5348 fsutil.exe 3532 fsutil.exe 4296 fsutil.exe 5160 fsutil.exe 6024 fsutil.exe 6008 fsutil.exe 5660 fsutil.exe 5976 fsutil.exe 1356 fsutil.exe 5144 fsutil.exe 4216 fsutil.exe 1500 fsutil.exe 1176 fsutil.exe 5428 fsutil.exe 2300 fsutil.exe 4208 fsutil.exe 6008 fsutil.exe 5632 fsutil.exe 3756 fsutil.exe 4620 fsutil.exe 1324 fsutil.exe 3656 fsutil.exe 2596 fsutil.exe 3428 fsutil.exe 5608 fsutil.exe 5152 fsutil.exe 5564 fsutil.exe 3916 fsutil.exe 840 fsutil.exe 1320 fsutil.exe 1832 fsutil.exe 5820 fsutil.exe 5292 fsutil.exe 5544 fsutil.exe 6084 fsutil.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 0BzMzlmT.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\Parameters\ServiceDll = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0BzMzlmT.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0BzMzlmT.exe -
resource yara_rule behavioral2/memory/876-1-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-2-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-3-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-5-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-4-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-54-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-144-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-232-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-355-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-456-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-537-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-635-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-704-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-778-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-877-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-961-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-1032-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-1113-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-1174-0x0000000140000000-0x000000014325E000-memory.dmp themida behavioral2/memory/876-1235-0x0000000140000000-0x000000014325E000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0BzMzlmT.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\D: fsutil.exe File opened (read-only) \??\F: MBR2GPT.EXE File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe File opened (read-only) \??\F: fsutil.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 MBR2GPT.EXE File opened for modification \??\PhysicalDrive0 vds.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\Recovery\ReAgent.xml ReAgentc.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 876 0BzMzlmT.exe -
Boot or Logon Autostart Execution: Time Providers 1 TTPs 33 IoCs
The Windows Time service (W32Time) enables time synchronization across and within domains.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMinutes = "15" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CompatibilityFlags = "2147483648" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\EventLogFlags = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SignatureAuthAllowed = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\DllName = "%SystemRoot%\\System32\\vmictimeprovider.dll" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006200300035006100000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\RequireSecureTimeSyncRequests = "0" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 0000 w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpServer w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\EventLogFlags = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainEntryTimeout = "16" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxEntries = "128" w32tm.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\DllName = "C:\\Windows\\SYSTEM32\\w32time.DLL" w32tm.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\VMICTimeProvider\Parameters w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\CrossSiteSyncFlags = "2" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainDisable = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\ResolvePeerBackoffMaxTimes = "7" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainMaxHostEntries = "4" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\Enabled = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\InputProvider = "0" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\Enabled = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollInterval = "32768" w32tm.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\SpecialPollTimeRemaining = 740069006d0065002e00770069006e0064006f00770073002e0063006f006d002c003700660038006200300035006100000000000000000000000000000000000000000000000000 svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\W32Time\TimeProviders\NtpClient w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpClient\LargeSampleSkew = "3" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\AllowNonstandardModeCombinations = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\ChainLoggingRate = "30" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\VMICTimeProvider\InputProvider = "1" w32tm.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\w32time\TimeProviders\NtpServer\Enabled = "0" w32tm.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Prefetch\SEARCHAPP.EXE-0651CA85.pf powershell.exe File opened for modification C:\Windows\Prefetch\TAKEOWN.EXE-A80759AD.pf powershell.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml ReAgentc.exe File opened for modification C:\Windows\Prefetch\LINQWEBCONFIG.EXE-0FDCD1CB.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-1463E66D.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-32DA767E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-894C9E34.pf powershell.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\ReadyBoot.etl powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-0A03C9B5.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-AE5EC6E9.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D2B15AE2.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-06226CEB.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-C49E779A.pf powershell.exe File opened for modification C:\Windows\Prefetch\TASKKILL.EXE-8F5B2253.pf powershell.exe File opened for modification C:\Windows\Prefetch\AgGlFaultHistory.db powershell.exe File opened for modification C:\Windows\Prefetch\REG.EXE-E7E8BD26.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C8D69DC6.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-98F22970.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-C4B5739C.pf powershell.exe File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log ReAgentc.exe File opened for modification C:\Windows\Prefetch\ONEDRIVESETUP.EXE-ADFC0EFD.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-373C0EED.pf powershell.exe File opened for modification C:\Windows\Prefetch\MICROSOFTEDGEUPDATE.EXE-C4317749.pf powershell.exe File opened for modification C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf powershell.exe File opened for modification C:\Windows\Prefetch\WFSERVICESREG.EXE-766D3C5B.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-3ED30A86.pf powershell.exe File opened for modification C:\Windows\Prefetch\VSSVC.EXE-B8AFC319.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-97BCF638.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-9F4DB6F5.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-FF8EBD82.pf powershell.exe File opened for modification C:\Windows\Prefetch\POWERSHELL.EXE-920BBA2A.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7CB48DE8.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-002D6F84.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-C5BE1C43.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-D71F3FEA.pf powershell.exe File opened for modification C:\Windows\Prefetch\DISM.EXE-DE199F71.pf powershell.exe File opened for modification C:\Windows\Prefetch\DISMHOST.EXE-711E3AC4.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7C77C512.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-E8196656.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-005D3145.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-033BBABB.pf powershell.exe File opened for modification C:\Windows\INF\setupapi.dev.log vds.exe File opened for modification C:\Windows\Prefetch\HNAORH.EXE-CF16D900.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-61696F68.pf powershell.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-28A8211F.pf powershell.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf powershell.exe File opened for modification C:\Windows\Prefetch\MOUSOCOREWORKER.EXE-681A8FEE.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-7194EF5E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-FCAF5656.pf powershell.exe File opened for modification C:\Windows\Prefetch\SETTINGSYNCHOST.EXE-2521C7ED.pf powershell.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\rblayout.xin powershell.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\Trace2.fx powershell.exe File opened for modification C:\Windows\Prefetch\SMCONFIGINSTALLER.EXE-039D5D2E.pf powershell.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml ReAgentc.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-0C84305E.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-8AFD300C.pf powershell.exe File opened for modification C:\Windows\Prefetch\RUNTIMEBROKER.EXE-94A02D86.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-8102A33C.pf powershell.exe File opened for modification C:\Windows\Prefetch\ReadyBoot\Trace1.fx powershell.exe File opened for modification C:\Windows\Prefetch\AgRobust.db powershell.exe File opened for modification C:\Windows\Prefetch\RUNDLL32.EXE-08AF006C.pf powershell.exe File opened for modification C:\Windows\Prefetch\STARTMENUEXPERIENCEHOST.EXE-D80E778C.pf powershell.exe File opened for modification C:\Windows\Prefetch\SVCHOST.EXE-342BD74A.pf powershell.exe File opened for modification C:\Windows\Prefetch\DLLHOST.EXE-FC981FFE.pf powershell.exe -
Hide Artifacts: Ignore Process Interrupts 1 TTPs 64 IoCs
Command interpreters often include specific commands/flags that ignore errors and other hangups.
pid Process 4336 powershell.exe 6052 powershell.exe 1400 powershell.exe 840 powershell.exe 668 powershell.exe 2776 powershell.exe 5196 powershell.exe 2796 powershell.exe 1624 powershell.exe 1036 powershell.exe 2376 powershell.exe 5348 powershell.exe 4260 powershell.exe 2384 powershell.exe 3656 powershell.exe 4812 powershell.exe 1676 powershell.exe 4188 powershell.exe 5004 powershell.exe 1964 powershell.exe 6092 powershell.exe 5596 powershell.exe 4996 powershell.exe 4712 powershell.exe 6104 powershell.exe 1380 powershell.exe 2352 powershell.exe 5264 powershell.exe 5964 powershell.exe 3280 powershell.exe 1868 powershell.exe 2472 powershell.exe 5456 powershell.exe 1240 powershell.exe 1384 powershell.exe 5540 powershell.exe 2228 powershell.exe 4952 powershell.exe 220 powershell.exe 5368 powershell.exe 6012 powershell.exe 6008 powershell.exe 5976 powershell.exe 2088 powershell.exe 1480 powershell.exe 1788 powershell.exe 4604 powershell.exe 556 powershell.exe 5356 powershell.exe 6060 powershell.exe 6044 powershell.exe 4044 powershell.exe 4896 powershell.exe 5968 powershell.exe 6080 powershell.exe 5700 powershell.exe 5192 powershell.exe 5764 powershell.exe 5692 powershell.exe 5760 powershell.exe 5276 powershell.exe 1928 powershell.exe 5680 powershell.exe 4796 powershell.exe -
Launches sc.exe 64 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5692 sc.exe 5564 sc.exe 5540 sc.exe 5012 sc.exe 5448 sc.exe 6040 sc.exe 4240 sc.exe 3688 sc.exe 2656 sc.exe 4880 sc.exe 6084 sc.exe 3504 sc.exe 5544 sc.exe 5724 sc.exe 5680 sc.exe 5360 sc.exe 4220 sc.exe 5668 sc.exe 4272 sc.exe 5684 sc.exe 5692 sc.exe 6116 sc.exe 5276 sc.exe 5400 sc.exe 5588 sc.exe 5940 sc.exe 5296 sc.exe 5520 sc.exe 5468 sc.exe 5860 sc.exe 2120 sc.exe 5604 sc.exe 5144 sc.exe 5360 sc.exe 4776 sc.exe 3452 sc.exe 1068 sc.exe 6132 sc.exe 5360 sc.exe 3132 sc.exe 3868 sc.exe 5040 sc.exe 5400 sc.exe 1384 sc.exe 5268 sc.exe 5884 sc.exe 5596 sc.exe 184 sc.exe 6060 sc.exe 5176 sc.exe 4564 sc.exe 1868 sc.exe 4936 sc.exe 2424 sc.exe 5940 sc.exe 712 sc.exe 5040 sc.exe 6076 sc.exe 3424 sc.exe 4412 sc.exe 3452 sc.exe 5752 sc.exe 5572 sc.exe 5388 sc.exe -
pid Process 1320 powershell.exe 1036 powershell.exe 1540 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Time Discovery 1 TTPs 6 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 3164 net1.exe 2872 net.exe 4064 net1.exe 5044 net.exe 4692 net1.exe 916 net.exe -
Checks SCSI registry key(s) 3 TTPs 25 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d3480743f1500000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000002700010000d87c1df914d348000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34884601a450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34807430c510000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000e0e63a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b0f93a0000000000400600000000ffffffff000000000c00010000d87c1df914d348000000000000b0f93a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vds.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vds.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\SHELL\MUICACHE 0BzMzlmT.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1628 powershell.exe 1628 powershell.exe 1036 powershell.exe 1036 powershell.exe 1320 powershell.exe 1320 powershell.exe 1540 powershell.exe 1540 powershell.exe 1036 powershell.exe 1320 powershell.exe 1540 powershell.exe 4812 powershell.exe 4812 powershell.exe 4812 powershell.exe 1380 powershell.exe 1380 powershell.exe 1380 powershell.exe 4372 powershell.exe 4372 powershell.exe 4372 powershell.exe 220 powershell.exe 220 powershell.exe 668 powershell.exe 668 powershell.exe 1240 powershell.exe 1240 powershell.exe 1384 powershell.exe 1384 powershell.exe 1036 powershell.exe 1036 powershell.exe 1036 powershell.exe 2352 powershell.exe 2352 powershell.exe 2352 powershell.exe 1516 powershell.exe 1516 powershell.exe 1516 powershell.exe 2376 powershell.exe 2376 powershell.exe 2376 powershell.exe 3852 powershell.exe 3852 powershell.exe 3852 powershell.exe 2480 powershell.exe 2480 powershell.exe 2480 powershell.exe 2776 powershell.exe 2776 powershell.exe 2776 powershell.exe 3608 msedge.exe 3608 msedge.exe 2028 msedge.exe 2028 msedge.exe 5348 powershell.exe 5348 powershell.exe 5348 powershell.exe 5700 powershell.exe 5700 powershell.exe 5700 powershell.exe 6024 powershell.exe 6024 powershell.exe 6024 powershell.exe 5988 identity_helper.exe 5988 identity_helper.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2936 vds.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1628 powershell.exe Token: SeSystemtimePrivilege 2468 svchost.exe Token: SeSystemtimePrivilege 2468 svchost.exe Token: SeIncBasePriorityPrivilege 2468 svchost.exe Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 1036 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeSystemtimePrivilege 2468 svchost.exe Token: SeDebugPrivilege 1380 powershell.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeDebugPrivilege 668 powershell.exe Token: SeSystemtimePrivilege 3300 svchost.exe Token: SeSystemtimePrivilege 3300 svchost.exe Token: SeIncBasePriorityPrivilege 3300 svchost.exe Token: SeSystemtimePrivilege 3300 svchost.exe Token: SeDebugPrivilege 1240 powershell.exe Token: SeDebugPrivilege 1384 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeTakeOwnershipPrivilege 2040 ReAgentc.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe 2028 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 876 0BzMzlmT.exe 876 0BzMzlmT.exe 876 0BzMzlmT.exe 876 0BzMzlmT.exe 876 0BzMzlmT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 876 wrote to memory of 1628 876 0BzMzlmT.exe 87 PID 876 wrote to memory of 1628 876 0BzMzlmT.exe 87 PID 876 wrote to memory of 5044 876 0BzMzlmT.exe 92 PID 876 wrote to memory of 5044 876 0BzMzlmT.exe 92 PID 5044 wrote to memory of 4692 5044 net.exe 94 PID 5044 wrote to memory of 4692 5044 net.exe 94 PID 876 wrote to memory of 968 876 0BzMzlmT.exe 95 PID 876 wrote to memory of 968 876 0BzMzlmT.exe 95 PID 876 wrote to memory of 1452 876 0BzMzlmT.exe 97 PID 876 wrote to memory of 1452 876 0BzMzlmT.exe 97 PID 876 wrote to memory of 916 876 0BzMzlmT.exe 100 PID 876 wrote to memory of 916 876 0BzMzlmT.exe 100 PID 916 wrote to memory of 3164 916 net.exe 102 PID 916 wrote to memory of 3164 916 net.exe 102 PID 876 wrote to memory of 5012 876 0BzMzlmT.exe 104 PID 876 wrote to memory of 5012 876 0BzMzlmT.exe 104 PID 876 wrote to memory of 1540 876 0BzMzlmT.exe 105 PID 876 wrote to memory of 1540 876 0BzMzlmT.exe 105 PID 876 wrote to memory of 1036 876 0BzMzlmT.exe 106 PID 876 wrote to memory of 1036 876 0BzMzlmT.exe 106 PID 876 wrote to memory of 1320 876 0BzMzlmT.exe 107 PID 876 wrote to memory of 1320 876 0BzMzlmT.exe 107 PID 876 wrote to memory of 3728 876 0BzMzlmT.exe 112 PID 876 wrote to memory of 3728 876 0BzMzlmT.exe 112 PID 876 wrote to memory of 3368 876 0BzMzlmT.exe 115 PID 876 wrote to memory of 3368 876 0BzMzlmT.exe 115 PID 876 wrote to memory of 4936 876 0BzMzlmT.exe 117 PID 876 wrote to memory of 4936 876 0BzMzlmT.exe 117 PID 876 wrote to memory of 8 876 0BzMzlmT.exe 119 PID 876 wrote to memory of 8 876 0BzMzlmT.exe 119 PID 876 wrote to memory of 4812 876 0BzMzlmT.exe 121 PID 876 wrote to memory of 4812 876 0BzMzlmT.exe 121 PID 876 wrote to memory of 2872 876 0BzMzlmT.exe 123 PID 876 wrote to memory of 2872 876 0BzMzlmT.exe 123 PID 876 wrote to memory of 1380 876 0BzMzlmT.exe 125 PID 876 wrote to memory of 1380 876 0BzMzlmT.exe 125 PID 2872 wrote to memory of 4064 2872 net.exe 127 PID 2872 wrote to memory of 4064 2872 net.exe 127 PID 876 wrote to memory of 4372 876 0BzMzlmT.exe 128 PID 876 wrote to memory of 4372 876 0BzMzlmT.exe 128 PID 876 wrote to memory of 3916 876 0BzMzlmT.exe 130 PID 876 wrote to memory of 3916 876 0BzMzlmT.exe 130 PID 876 wrote to memory of 3532 876 0BzMzlmT.exe 132 PID 876 wrote to memory of 3532 876 0BzMzlmT.exe 132 PID 876 wrote to memory of 840 876 0BzMzlmT.exe 134 PID 876 wrote to memory of 840 876 0BzMzlmT.exe 134 PID 876 wrote to memory of 3960 876 0BzMzlmT.exe 136 PID 876 wrote to memory of 3960 876 0BzMzlmT.exe 136 PID 876 wrote to memory of 1276 876 0BzMzlmT.exe 138 PID 876 wrote to memory of 1276 876 0BzMzlmT.exe 138 PID 876 wrote to memory of 4628 876 0BzMzlmT.exe 140 PID 876 wrote to memory of 4628 876 0BzMzlmT.exe 140 PID 876 wrote to memory of 4240 876 0BzMzlmT.exe 142 PID 876 wrote to memory of 4240 876 0BzMzlmT.exe 142 PID 876 wrote to memory of 3664 876 0BzMzlmT.exe 148 PID 876 wrote to memory of 3664 876 0BzMzlmT.exe 148 PID 876 wrote to memory of 3992 876 0BzMzlmT.exe 150 PID 876 wrote to memory of 3992 876 0BzMzlmT.exe 150 PID 876 wrote to memory of 3132 876 0BzMzlmT.exe 152 PID 876 wrote to memory of 3132 876 0BzMzlmT.exe 152 PID 876 wrote to memory of 4604 876 0BzMzlmT.exe 154 PID 876 wrote to memory of 4604 876 0BzMzlmT.exe 154 PID 876 wrote to memory of 220 876 0BzMzlmT.exe 156 PID 876 wrote to memory of 220 876 0BzMzlmT.exe 156
Processes
-
C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command Remove-Item 'C:\Users\Admin\AppData\Local\Temp\0BzMzlmT.exe.bak' -force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628
-
-
C:\Windows\SYSTEM32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:4692
-
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /unregister2⤵PID:968
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /register2⤵
- Server Software Component: Terminal Services DLL
- Boot or Logon Autostart Execution: Time Providers
PID:1452
-
-
C:\Windows\SYSTEM32\net.exenet start w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 start w32time3⤵
- System Time Discovery
PID:3164
-
-
-
C:\Windows\System32\Wbem\wmic.exewmic cpu get VirtualizationFirmwareEnabled2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "$env:firmware_type"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "confirm-securebootuefi"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "Get-WmiObject -Namespace 'Root\CIMv2\Security\MicrosoftTpm' -Class Win32_Tpm"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3728
-
-
C:\Windows\SYSTEM32\w32tm.exew32tm /resync /force2⤵PID:3368
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:4936
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:8
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Drops file in Windows directory
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4812
-
-
C:\Windows\SYSTEM32\net.exenet stop w32time2⤵
- System Time Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop w32time3⤵
- System Time Discovery
PID:4064
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:3916
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:3532
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:840
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:3960
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:1276
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:4628
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:4240
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3664
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:3992
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:3132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:668
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:2304
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1912
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4620
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:2424
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:1176
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:4940
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:3440
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4148
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5040
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:4272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:4296
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1320
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1176
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reagentc /enable2⤵PID:2028
-
C:\Windows\system32\ReAgentc.exereagentc /enable3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:3440
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:2376
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5024
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c mbr2gpt /convert /allowFullOS2⤵PID:3132
-
C:\Windows\system32\MBR2GPT.EXEmbr2gpt /convert /allowFullOS3⤵
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
PID:2592
-
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3952
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:1896
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:3872
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:4812
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:3172
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:2628
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:3532
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:4280
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:2472
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:3872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause2⤵PID:116
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:2728
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:1904
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:2776
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:2028
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵PID:1828
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1832
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:4804
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:3688
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5020
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.diskpart.com/features/convert-mbr-gpt.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2028 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd65c046f8,0x7ffd65c04708,0x7ffd65c047183⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:23⤵PID:3892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2416 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:83⤵PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:13⤵PID:5084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵PID:3300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:83⤵PID:5792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:5988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:13⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:13⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:13⤵PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,10938484728463421696,128383045628394638,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:13⤵PID:5836
-
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3440
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5144
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:5268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:5348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
- Suspicious behavior: EnumeratesProcesses
PID:5700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6024
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5144
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:5284
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:5448
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5596
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5684
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:4572
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:5544
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:744
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5176
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:6096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:6072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5548
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5820
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1676
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5160
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:6076
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:5244
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5320
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5552
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5432
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5572
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:6080
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5496
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:6024
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:4748
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:3136
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5596
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:5692
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:5564
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:6080
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5400
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6012
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:5288
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:5144
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5688
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:3868
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5388
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5632
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5864
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:640
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:184
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:6092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5356
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5264
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:640
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:5984
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:6044
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:5128
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:5588
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:840
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5380
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5572
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5760
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5428
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5412
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5608
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5568
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:6116
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:2152
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:6080
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5496
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:2300
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:5540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6060
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:4120
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5496
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:5688
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:5360
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:4948
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5468
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:5296
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3440
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:6044
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:5724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5276
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:4692
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:5692
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:1292
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5752
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:6060
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:5680
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:5520
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5688
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5360
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:6128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:1084
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4260
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:1448
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:6008
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5352
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5780
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5940
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5712
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:5176
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4996
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5296
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:5468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5724
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5152
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5996
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5780
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5948
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:4948
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:4508
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:1724
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5684
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:1068
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5696
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5384
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:2228
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:2300
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5564
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5352
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:1944
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5884
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:4948
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5852
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4876
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:3812
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:2796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4952
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5188
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4216
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5864
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:6080
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5012
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:1892
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5940
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5824
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5888
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5276
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:4220
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5348
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:6060
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:4924
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:5692
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:6116
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5768
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:1996
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5040
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:2372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:2088
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5660
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:6128
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:5416
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:3424
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:2656
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:5276
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:4220
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5356
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5448
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5260
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:1892
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5292
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5976
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:1324
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5476
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5400
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5544
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:6040
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:1036
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:6124
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5968
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:3656
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5632
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5544
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:1384
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:5844
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5140
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:2120
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5656
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5352
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:5860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:2384
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:6084
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:536
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:3504
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:3740
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:5020
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5252
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:6028
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5276
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5388
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:3996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:5964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1928
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:1500
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:3168
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:4520
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:4876
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:6084
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:536
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5368
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4228
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:2120
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:3780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1400
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:872
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:3136
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4208
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5576
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:1904
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5976
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵
- Launches sc.exe
PID:5400
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:6024
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:3280
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:3504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:3908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5680
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5700
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5768
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:4896
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:2988
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:6132
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5360
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5884
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4948
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:1904
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:3656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:3280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1868
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5580
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:640
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:5604
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:6088
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:5668
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:3284
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:1648
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5860
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:4412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:3812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4712
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:3932
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:556
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:400
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:5164
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:4952
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:3452
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:3084
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5680
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:5392
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:5436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:4796
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:4260
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:4200
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:2596
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:3504
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:3340
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:1036
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:4180
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5440
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5604
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:4416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:2472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:1648
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵PID:1552
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:3428
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Enumerates connected drives
PID:5976
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:1384
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:4776
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:5744
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5316
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:4544
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:1996
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:1732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:2304
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:1624
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:6104
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:5212
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:6008
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:712
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:4880
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵PID:412
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵PID:2940
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:1928
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:1904
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵PID:2092
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:3584
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:1356
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Enumerates connected drives
PID:1932
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4240
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵
- Launches sc.exe
PID:4564
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:5940
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:3452
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:5040
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:5676
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:712
-
-
C:\Windows\SYSTEM32\sc.exesc config "PcaSvc" start=disabled2⤵
- Launches sc.exe
PID:5360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'C:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:4188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'D:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵PID:4772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -command "Remove-Item 'F:\Windows\Prefetch\*' -force -recurse -ErrorAction SilentlyContinue"2⤵
- Hide Artifacts: Ignore Process Interrupts
PID:5456
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d C:2⤵
- Deletes NTFS Change Journal
PID:3756
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d D:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:4712
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil usn deletejournal /d F:2⤵
- Deletes NTFS Change Journal
- Enumerates connected drives
PID:5764
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SysMain"2⤵PID:1972
-
-
C:\Windows\SYSTEM32\sc.exesc config "SysMain" start=disabled2⤵
- Launches sc.exe
PID:1868
-
-
C:\Windows\SYSTEM32\sc.exesc stop "SuperFetch"2⤵
- Launches sc.exe
PID:5752
-
-
C:\Windows\SYSTEM32\sc.exesc config "SuperFetch" start=disabled2⤵PID:4488
-
-
C:\Windows\SYSTEM32\fsutil.exefsutil behavior set disablelastaccess 12⤵PID:3336
-
-
C:\Windows\SYSTEM32\sc.exesc stop "PcaSvc"2⤵
- Launches sc.exe
PID:5692
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s w32time1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s w32time1⤵
- Boot or Logon Autostart Execution: Time Providers
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3468
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: LoadsDriver
PID:2936
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2472
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5212
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Time Providers
1Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Time Providers
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Ignore Process Interrupts
1Impair Defenses
1Indicator Removal
1File Deletion
1Pre-OS Boot
1Bootkit
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD56cf293cb4d80be23433eecf74ddb5503
SHA124fe4752df102c2ef492954d6b046cb5512ad408
SHA256b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA5120f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00
-
Filesize
152B
MD5d22073dea53e79d9b824f27ac5e9813e
SHA16d8a7281241248431a1571e6ddc55798b01fa961
SHA25686713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA51297152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413
-
Filesize
152B
MD5bffcefacce25cd03f3d5c9446ddb903d
SHA18923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA25623e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize384B
MD593d8e029ef835d2c269bd33a86e69666
SHA1cc538cb99fe790585bbd17e1273c4f48f5f18a46
SHA256c7c1ce4fac0f6116d86ab9f9591cb6c1cbe1309dbc805a33264b7a5ae2e4d46f
SHA512f1b0400ba019667ffbd0d6c7686596ef55b0dea13a7a56416b2f4d86e42711491b57c262cd17ac21221717711550941ee6d83eff60a5c436894687872868bb35
-
Filesize
1KB
MD59b7ef9a6d82040fdcb30bba19b2de376
SHA1623c662af6ef50745d59bf26bc92318e2a044131
SHA256f32ad04a559408de2679f35a62218fe7fa8feac9f395e09552162bed4bfaf9c7
SHA51288eb1e5b7611c6eeb9ab92fc0fcf6377093fa5a0aa4255c1e1cdd7b30df2cfaddff7e90015220e6cb267c743ea69a476781e2580386da815d3a215f11cc6a588
-
Filesize
5KB
MD59953d654ed3e85db83be60baf2408a6a
SHA1f86800d98a722eb75e4b1fd22d4515358fa91f7b
SHA2569e4f359e57307989e80c349e200f8fc46de74f861f634b276d29543a60055aa0
SHA51285ed92a581ee7ecb42ed96505aa52a18d25366fdcafbf7163bd09492eca1e86f327b2f3f5b23fd85fc9aac890c7b0c419a2992499bdd222d8abc37907ed74845
-
Filesize
7KB
MD5264e57e0b2c43a86a61304040896c301
SHA1cba68bf4cf3c3e0df03df3afabef9b9fefc37269
SHA2560d7e83b33ef776c738916706b73481cb32019f17df9fc8dcb44ba6f5f82e1784
SHA51201dec32265f2d26ac85f02ba913ef7b19d4acb4ddbefabb76d608cdfccc06cadfd9722ed88168abf5033d16e9af1883d2f8db9a3030374de0f1a8d6a4ce23338
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5986a1b505bb80c782464806b16a7afcc
SHA1b18bb8cb9641c856736829e686427992d1d62510
SHA256fbdc4eed0bd2bc9c756cc2218f81f167a2ce928bc5dd04e083d622c5242a9e37
SHA512564dbe3bd1de407e0d35df302cdb289742ef0aa58e76b7e337d8b99e597d38b257f31284dc8d04204efc5101ab00a96b18a9ed6750868cf23952830caa6469db
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1020B
MD545fccfe6c54ad093cc09323df85e8a90
SHA16f86ab530874edae4534163a0fc472e5f880303d
SHA256c3a2742bf5751d2a38757ae6cc44a4573c371e8ca5d8545360cc8f662d640560
SHA51203a2d29ffcc7bab0a54aa20624bd2420a4b3a28ea788171443611f43500be67a4574dfbc2497458fdc807ecf8e45c40e80eb3e7365d86c6b0b41f11da17287f7
-
Filesize
64B
MD5cf0d0678f87066e4e91c88dff6d15abd
SHA128ead060c26359338039882cd1cdb4cb019c05fe
SHA25606333424b3c24a937ed37963e2f70ac8511237d57ac65e62e5c04b7e0060f25b
SHA5127c0070a3f4efa2f0ef9767ac26f951503d5ac3883a5023a3fd7db9e77c427ba6c533950851e0a145c9736b3d13da0b42e9ad798fe517971b4525718923563966
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5bdefeb1aa8afa75e36bcc68613412e75
SHA168d92774e5695971aea5acc61a74c62dbb43efab
SHA256c5c3e183e13c2dc76eee80639bfdecc0ec64f0bae1b3b94561e037a52c989046
SHA5125b15c1e47305f19cc6659e026e67da1c9a649784c7f21a6f20f42442669d346fa7ad52d95e579fea83389b1214ab21c4be940ba93335be5b10063580bd1ab94c